Hi,
(OpenLDAP version 2.4.23)
I have a filter expression in an ACL that is somehow affecting my
ability to retrieve specific attributes. What's strange (to me) is that
with or without the filter expression in place, I can retrieve all
attributes, i.e. the full object.
4986# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)'
dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
yDirectoryID: c44883ba-ac62-d28c-556f-99ccbf532da7
objectClass: yAccount
objectClass: inetOrgPerson
uid: rpeterso
mail: rpeterso@mtholyoke.edu
etc...
But if I specify a particular attribute, then having the filter
expression in place somehow inhibits my ability to retrieve the specific
attribute(s).
Without filter expression:
4987# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail
dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
mail: rpeterso@mtholyoke.edu
With filter expression in place:
4990# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail
dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
The ACL in question looks like:
access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))"
by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read
by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
by * none
I've turned my logging way up, and the hiccup seems to be that the DN
I've authenticated as
(uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read
access to the attributes in the filter expression. But how do I give
that account read access to those attributes, without then exposing the
objects that I'm trying to hide with the filter expression?