Hi Brian, Brian Burch wrote: > However, when I search for "objectclass=accessControlSubentry", nothing > is returned (with or without the "+" attribute). Even searching for the > explicit dn of a known ACI doesn't return anything. > > Do you think this is a "user error", or a problem with the openldap > ldapsearch, or apacheds? I am using the 1.5.4 release.
You need to send the "subentries" control in order to retrieve ACI entries. For the OpenLDAP CLI client please add the "-E subentries" option. Example: ldapsearch -H ldap://localhost:10389 -x -D "uid=admin,ou=system" -W -b "dc=example,dc=com" -s sub -E subentries "(objectclass=accessControlSubentry)" "*" "+" Kind Regards, Stefan
