Jan-Piet Mens wrote:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=@entryAccessEntities
but strangely this ALSO changes the privileges for the objectClass
attribute of the entry!
I can confirm that's happening here with same OpenLDAP version. I've
been banging my head all afternoon trying to find my own typo...
Don't inherit from top.
My ACL looks like this:
access to
attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
write
by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
by anonymous auth
by self none
by * none
That hides the objectClass type.
$ ldapsearch -x -LLL uid=f2
dn: uid=f2,ou=Users,dc=mens,dc=de
uid: f2
cn: Joe Guest
gecos: Joe Guest
gidNumber: 4
homeDirectory: /home/f2
loginShell: /bin/bash
sn: Guest
uidNumber: 902
If I list the attrs of that object class instead, there is no problem:
ACK. If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
attributes, the objectclass type reappears.
-JP
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
