正如文档 (第8.2.5条)所示,我试图限制对dn.subtree="ou=accounts,dc=domain,dc=local"属性的访问,对于dn="cn=addrbook,ou=services,dc=domain,dc=local" ,但没有访问指定的属性为dn="cn=addrbook,ou=services,dc=domain,dc=local"
root@metalmachine:~# ldapsearch -D "cn=addrbook,ou=services,dc=domain,dc=local" -W -b "ou=accounts,dc=domain,dc=local" mail Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: mail # # search result search: 2 result: 32 No such object # numResponses: 1
这里有两个访问指令dn.subtree="ou=accounts,dc=domain,dc=local"
access to dn.subtree="ou=accounts,dc=domain,dc=local" attrs=uid,mail,cn,gn,sn,displayName by dn="cn=addrbook,ou=services,dc=domain,dc=local" read by dn="cn=dovecot,ou=services,dc=domain,dc=local" read access to dn.subtree="ou=accounts,dc=domain,dc=local" by dn="cn=dovecot,ou=services,dc=domain,dc=local" read by anonymous auth by self read by * none
对于dn="cn=dovecot,ou=services,dc=domain,dc=local"一切正常。
我find了一个解决scheme:
access to dn.children="ou=accounts,dc=domain,dc=local" attrs=uid,mail,cn,gn,sn,displayName by dn="cn=addrbook,ou=services,dc=domain,dc=local" read access to dn.subtree="ou=accounts,dc=domain,dc=local" by dn="cn=addrbook,ou=services,dc=domain,dc=local" search by dn="cn=dovecot,ou=services,dc=domain,dc=local" read by anonymous auth by self read by * none