[Date Prev][Date Next] [Chronological] [Thread] [Top]
ACL to permit access to some attributes

To: openldap-software@OpenLDAP.org
Subject: ACL to permit access to some attributes
From: "José M. Fandiño" <ldap@fadesa.es>
Date: Mon, 29 Mar 2004 18:46:09 +0200
Organization: Inmobiliaria FADESA
Hello,

 I'm testing an Openldap 2.1.27 server and I need
give read access to the mail attribute of each entry
without exposing other attributes.

It seems easy to do and after several tries I don't see 
where the error is. 

This is my current acl:

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to * attrs=mail
      by * read

but all searchs of the mail attribute return an 
empty response. 

Any idea about where the problem is??

thank you.

	/-------/

ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" '(mail=*)'
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (mail=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

	/-------/

# /usr/local/libexec/slapd -4 -h ldap:// -d 224
bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)
reading config file /usr/local/etc/openldap/slapd.conf
line 6 (include         /usr/local/etc/openldap/schema/core.schema)
reading config file /usr/local/etc/openldap/schema/core.schema
*** snip subschema ****
line 11 (schemacheck on)
line 12 (defaultsearchbase dc=fadesa,dc=es)
line 23 (pidfile        /var/run/slapd.pid)
line 24 (argsfile /var/run/slapd.args)
line 26 (sasl-secprops none)
line 56 (access to dn.base="" by * read)
Global ACL: access to *
        by * read(=rscx)

line 57 (access to dn.base="cn=Subschema" by * read)
Global ACL: access to dn.base=cn=subschema
        by * read(=rscx)

line 63 (access to * attrs=mail         by * read )
Global ACL: access to attrs=mail
        by * read(=rscx)

line 90 (database bdb)
bdb_db_init: Initializing BDB database
line 91 (suffix         "dc=fadesa,dc=es")
line 92 (rootdn         "cn=jefazo,dc=fadesa,dc=es")
line 97 (rootpw ***)
line 99 (password-hash   {CLEARTEXT})
line 104 (directory /var/db/openldap-data)
line 107 (index objectClass     eq)
index objectClass 0x0004
line 108 (index uid     eq)
index uid 0x0004
line 109 (index cn      eq)
index cn 0x0004
line 112 (lastmod         yes)
line 115 (cachesize       200000)
line 121 (idletimeout 900)
slapd starting
str2filter "(objectclass=*)"
begin get_filter
PRESENT
end get_filter 0
begin get_filter
PRESENT
end get_filter 0
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        DN SUBTREE
<= bdb_filter_candidates: id=-1 first=1 last=8
=> bdb_filter_candidates
        OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
        EQUALITY
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
        PRESENT
<= bdb_filter_candidates: id=-1 first=1 last=8
<= bdb_list_candidates: id=-1 first=1 last=8
<= bdb_filter_candidates: id=-1 first=1 last=8
<= bdb_list_candidates: id=-1 first=1 last=8
<= bdb_filter_candidates: id=-1 first=1 last=8
=> test_filter
    PRESENT
=> access_allowed: search access to "dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00002,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00002,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00002,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00001,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00001,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00001,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> access_allowed: read access to "uid=00001,dc=fadesa,dc=es" "entry" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr entry
<= acl_get: done.
=> access_allowed: no more rules
send_search_entry: access to entry not allowed
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00004,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00004,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00004,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00003,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00003,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00003,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00010,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00010,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> access_allowed: read access to "uid=00010,dc=fadesa,dc=es" "entry" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr entry
<= acl_get: done.
=> access_allowed: no more rules
send_search_entry: access to entry not allowed

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------
Follow-Ups:
- Re: ACL to permit access to some attributes
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
Prev by Date: Re: Multiple domains searchable
Next by Date: Re: Multiple domains searchable
Index(es):
- Chronological
- Thread