I am trying to configure my openldap server to allow a user to read a
list of users only if they have the "host" attribute with a specific
value, for instance "csa". I am using rhel 6, openldap 2.4.23 server.
When I have the following 2 acl's, the user Admin can get the full
contents of the 'abc' container:
access to attrs=userPassword
by dn="uid=0,dc=aa,dc=bb,dc=cc" write
by * auth
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read
When I change the 2nd acl as follows, I get no response at all:
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read
There are a few records in the abc container which have the attribute
host with the 'csa' value. I have tried to give search permission to
the entire container and then add the permission of read only to the
filter as follows:
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" =cs
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" +r
but I still don't get my list with ldapsearch. What am I missing here?