Hi Sean, Your search helped me a bit tracking this down currently I am testing with something like this
to dn.subtree="dc=local" filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) by ssf=64 dn.exact="cn=cron,dc=local" read to dn.subtree="dc=local" by ssf=64 dn.exact="cn=cron,dc=local" search > > > > > I'm wondering if a "search" privilege needs to be granted somewhere and > "(objectClass=*)" is a a loophole that bypasses the need for the > "search" privilege. What happens if you say "filter=(&(objectClass=*))" > ? > > > Sean. > > > On 1/08/2023 10:34 pm, Marc wrote: > > I have a ldapsearch that returns this object > > sendmailMTAClassName: w > sendmailMTAClassValue: xxx > sendmailMTAClassValue: yyy > sendmailMTAClassValue: zzz > objectClass: sendmailMTA > objectClass: sendmailMTAClass > > I thought I could strengthen the acl by just appending to with a > filter > > but if I add these below, the ldapsearch does not return anything > err=32 > > filter=(objectClass=sendmailMTAClass) > filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) > filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) > filter=(objectClass=sendmailMTA*) > > If I change the filter to this, I get the expected result again > > filter=(objectClass=*) > > Goal is to have ldapsearch only list the specific objectClasses. Or > should I do > this with listing only attributes. >
