[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Limiting attributes through ACL
Pierangelo Masarati wrote:
[please keep replies on the list]
Oops. Sorry about that. I just hit Reply to the message not realizing
that the reply wasn't going to the list but just to you directly.
Dan Ciarniello wrote:
# anyone can see the cn of inetOrgPersons
access to filter="(objectClass=inetOrgPerson)" attrs=cn
by * read
# only users can see anything else of inetOrgPersons
access to filter="(objectClass=inetOrgPerson)"
by users read
Unfortunately, that doesn't seem to do it. I set the above filters but
I still get back all attributes when binding anonymously (using
JXplorer). I don't know if it makes a difference but I'm using OpenLDAP
2.2 rather than 2.4.
Well, apart from any consideration strictly related to your issue, you
should be using 2.3 (2.4 is not released yet but in alpha, so it's not
recommended).
I did mean 2.3 rather than 2.4. Unfortunately, circumstances beyond my
control dictate that I use 2.2. Upgrading to 2.3 is not an option at
the moment.
The fact that the above rules do not seem to work sounds odd, as they're
known to work as suggested. How can you tell they ever get used? Did you
run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log
level). My guess is that you have broader ACLs in place that get called
before the suggested ones. I suggest you post your entire slapd.conf
(after appropriate sanitization for any sensistive info).
p.
Here are the relevant ACL entries from slapd.conf.
access to attrs=userPassword
by group="<groupdn>" write
by self write
by anonymous auth
by * none
access to filter="(objectClass=inetOrgPerson)" attrs=cn
by * read
access to filter="(objectClass=inetOrgPerson)"
by users read
access to dn.base="dc=cityxpress,dc=com"
by group="<groupdn>" write
by users read
by anonymous read
by * none
access to dn.subtree="ou=Administrators,dc=cityxpress,dc=com"
by group="<groupdn>" write
by self read
by anonymous read
by * none
access to *
by group="<groupdn>" write
by users read
by anonymous auth
by * none
There are other entries in the ACL but they all refer to subtrees other
than the Administrator subtree which is the one that I'm interested in.
Note that the "Administrators" are of type
person/posixAccount/shadowAccount/inetOrgPerson. I tried a filter that
combined all object classes but it didn't work either.
I haven't had a chance to add acl debug statements to the log yet.
Thanks,
Dan.