Re: Access list - limiting access to attribute

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Lukas Kubin writes:
>Hallvard B Furuseth wrote:
>
>> You can grant mailBrowser 'entry' access, which just grants access to
>> the entry without granting access to the attributes in it.  I'm not sure
>> just what 'entry' access allows mailBrowser to do with the entry, but at
>> least it's more restrictive than giving mailBrowser full access:
> 
> OK. I created another rule granting access to "entry". However it didn't 
> work until I had appended "objectClass" there too.

Oh.  I forgot you have to find the entry:-)

> I found in log that the system is requesting access to objectClass. I 
> don't understand, why? I don't use any filter when testing the ldapsearch.

The LDAP standard requires a filter.  "(objectClass=*)" is the standard
LDAP filter which means "match everything".  Ldapsearch uses that if you
do not specify a filter.  I used the filter "(&)", the "TRUE filter"
extension, when I tested the reply I sent you, so it worked for me
without giving access to objectClass.

BTW, if you do not wish to rely on extensions like (&), it should be
enough to grant 's' access to objectClass, so mailBrowser can search for
but not read objectClass.  See the slapd.access manpage.

-- 
Hallvard