On Thu, Mar 7, 2013 at 11:53 PM, Michael Ströder <[email protected]>wrote:
> devzero2000 wrote:
> > iirc, in ldapv3 the right thing to search is the subschemaSubentry
> > attribute, as a base, of the rootDSE object.
>
> In general each part of the DIT could have its own subschema subentry! So
> you
> have to read attribute subschemaSubentry in the entry for which you want to
> determine the schema.
> Not many schema-aware clients are doing this though.
>
> Ciao, Michael.
>
Thanks, but I don't think this is my problem. I think it is a permission
problem. It use to be that if I used
ldapsearch -x "uid=jd"
I would get all entries except the userPassword and shadowLastChange, but
if I used:
ldapsearch -x -W -D "cn=admin,ou=roles,dc=example,dc=com" "uid=jd"
I would get everything, including the userPassword and shadowLastChange.
Neither one show up now. Here are my permissions for these two attributes:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=shadlenlab,dc=columbia,dc=edu" write by * none
So, it looks like no one has read permissions for either attribute, if I am
reading this correctly. I don't need to read the userPassword, but I do
need to be able to read shadowLastChange. Can someone help me understand
how to change olcAccess so that admin can read shadowLastChange using
ldapmodify? I am finding the documentation on this extremely opaque.
thanks,
maria
