Hi,
Using OpenLDAP 2.4 and this ACL :
=====
olcAccess: {0}to *
by dn="cn=admin,ou=ldap,dc=univ-avignon,dc=fr" write
by * break
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: {2}to attrs=myAttribute
by dn="cn=myUser,ou=ldap,dc=univ-avignon,dc=fr" read
by * none
olcAccess: {3}to *
by * read
=====
in the aim (rule {2}) to grant read access to attribute 'myAttribute' for
myUser and no other user (except admin).
As wanted, [R1] with authentified user myUser :
[R1] ldapsearch -x -LLL -h <myLDAP> -b 'ou=people,dc=univ-avignon,dc=fr' -D
'cn=myUser,ou=ldap,dc=univ-avignon,dc=fr' -w <secret> "(uid=someUid)"
myAttribute
give me the dn and the required "myAttribute" :
dn: uid=someUid,ou=people,dc=univ-avignon,dc=fr
myAttribute: <attribute value>
and [R2] with another authentified user :
[R2] ldapsearch -x -LLL -h <myLDAP> -b 'ou=people,dc=univ-avignon,dc=fr' -D
'cn=anotherUser,ou=ldap,dc=univ-avignon,dc=fr' -w <secret> "(uid=someUid)"
myAttribute
does NOT give me the required "myAttribute", only the dn :
dn: uid=someUid,ou=people,dc=univ-avignon,dc=fr
BUT by replacing "read" by "none" in rule {3}, I get an error "No such object
(32)" with either [R1] and [R2].
Since rule {3} should not be evaluated after matching rule {2}, I don't
understand why modifying rule {3} modifies the behaviour.
And by replacing "read" by "search" in rule {3}, I no longer get an error, but
I do NOT obtain the required "myAttribute" and nor the dn, with neither [R1]
nor [R2].
Does it mean that "read" in rule {3} was necessary to read the dn ? And that
without reading the dn, rule {2} cannot be evaluated ?
Please, help me !
Eric
