Olivier Nicole <[EMAIL PROTECTED]> writes: > Hi, > > I am implementing a directory with OPENLdap and I woul dlike that > anonymous users could only read ceratin attributes, while all other > attributes are accessible to authenticated users only. > > # ACL 1: Data that the user can change and that the world can see > access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" > attrs=sn,givenName > by group="cn=groupadmin..." write > by self write > by * read > > # ACL 2: Personnal data, that user can change and the world can not see > access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" > attrs=gecos,description > by group="cn=groupadmin..." write > by self write > by * none > > # ACL 3: any attributes that is not explcitely allowed above is denied > access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" > by group="cn=groupadmin..." write > by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read > by * none > > But this is not working. If I do like this, anonymous search will see > nothing from the user. > > I found out some where that the attribute objectClass should always be > exposed, so I tried to add it in the ACL 1, but that is not working either, I > must haave a last ACL of the form > > > access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" > by group="cn=groupadmin..." write > by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read > by * read > > and I don't see where my reasoning is getting wrong.
The pseudo attributes entry and children of the leafnode ou=people,... are not accessible. Run slapd in debugging mode acl to watch access control parsing. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
