[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting attributes through ACL

To: ando@sys-net.it
Subject: Re: Limiting attributes through ACL
From: Dan Ciarniello <dciarniello@cityxpress.com>
Date: Tue, 19 Jun 2007 13:07:33 -0700
Cc: openldap-software@openldap.org
In-reply-to: <33272.82.63.140.131.1181999399.squirrel@82.63.140.131>
References: <46717A8F.6050506@cityxpress.com> <467196AA.3080602@sys-net.it> <4672F8A1.5040800@cityxpress.com> <33272.82.63.140.131.1181999399.squirrel@82.63.140.131>
User-agent: Mozilla Thunderbird 1.0.8-1.1.fc4 (X11/20060501)

Pierangelo Masarati wrote:

[please keep replies on the list]

Oops. Sorry about that. I just hit Reply to the message not realizing that the reply wasn't going to the list but just to you directly.

Dan Ciarniello wrote:
# anyone can see the cn of inetOrgPersons
access to filter="(objectClass=inetOrgPerson)" attrs=cn
	by * read
# only users can see anything else of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" by users read
Unfortunately, that doesn't seem to do it. I set the above filters but I still get back all attributes when binding anonymously (using JXplorer). I don't know if it makes a difference but I'm using OpenLDAP 2.2 rather than 2.4.

Well, apart from any consideration strictly related to your issue, you should be using 2.3 (2.4 is not released yet but in alpha, so it's not recommended).

I did mean 2.3 rather than 2.4. Unfortunately, circumstances beyond my control dictate that I use 2.2. Upgrading to 2.3 is not an option at the moment.

The fact that the above rules do not seem to work sounds odd, as they're
known to work as suggested.  How can you tell they ever get used?  Did you
run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log
level).  My guess is that you have broader ACLs in place that get called
before the suggested ones.  I suggest you post your entire slapd.conf
(after appropriate sanitization for any sensistive info).

p.

Here are the relevant ACL entries from slapd.conf.

access to attrs=userPassword
       by group="<groupdn>" write
       by self write
       by anonymous auth
       by * none

access to filter="(objectClass=inetOrgPerson)" attrs=cn
       by * read

access to filter="(objectClass=inetOrgPerson)"
       by users read

access to dn.base="dc=cityxpress,dc=com"
       by group="<groupdn>" write
       by users read
       by anonymous read
       by * none

access to dn.subtree="ou=Administrators,dc=cityxpress,dc=com"
       by group="<groupdn>" write
       by self read
       by anonymous read
       by * none

access to *
   by group="<groupdn>" write
   by users read
   by anonymous auth
   by * none

There are other entries in the ACL but they all refer to subtrees other than the Administrator subtree which is the one that I'm interested in. Note that the "Administrators" are of type person/posixAccount/shadowAccount/inetOrgPerson. I tried a filter that combined all object classes but it didn't work either.

I haven't had a chance to add acl debug statements to the log yet.

Thanks,
Dan.

Follow-Ups:
- Re: Limiting attributes through ACL
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Limiting attributes through ACL
  - From: Dan Ciarniello <dciarniello@cityxpress.com>
- Re: Limiting attributes through ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Limiting attributes through ACL
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Backend meta as a module errors
Next by Date: Re: Data Store Question
Index(es):
- Chronological
- Thread