I am facing the following problem (with v2.4.31 on CentOS 5.8).
I am using a - recently added - custom schema with one AUX objectclass
and 3 optional attrs; I am trying to use an ACL of the form:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=@entryAccessEntities
by
group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
but strangely this ALSO changes the privileges for the objectClass
attribute of the entry!
If I list the attrs of that object class instead, there is no problem:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=writeAccessEntities,readAccessEntities,searchAccessEntities
by
group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
Now, the ACL works correctly, and it does not affect the entry
objectClass attribute.
Surprisingly, this does not happen with other object classes. If I use,
for example:
access to dn.subtree="ou=people,dc=example,dc=com" attrs=@eduPerson
by
group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
then, it correctly assigns privileges to only the attrs of eduPerson
object class (also an AUX class with only optional attrs), without
affecting the entry objectclass attribute.
Does anyone have an idea what is happening? Am I doing anything wrong?
Any help will be appreciated.
For reference I include the schema below.
Note: I am using dynamic config, but I have listed schema and ACLs in
their "standard" form, for better readability.
Thanks,
Nick
=====================================================
entryaccess.schema
=====================================================
attributetype ( 1.3.6.1.4.1.39349.4.1.11
NAME 'writeAccessEntities'
DESC 'DNs of Groups which should be allowed write (full) access to
this entry'
SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.39349.4.1.12
NAME 'readAccessEntities'
DESC 'DNs of Groups which should be allowed read (read-only) access
to this entry'
SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.39349.4.1.13
NAME 'searchAccessEntities'
DESC 'DNs of Groups which should be allowed search (search-only)
access to this entry'
SUP distinguishedName )
objectclass ( 1.3.6.1.4.1.39349.4.2.101
NAME 'entryAccessEntities'
DESC 'Allow access to the entry, to which this class is added, to
the entities specified as the values (DNs) of this class attributes'
SUP top AUXILIARY
MAY ( writeAccessEntities $ readAccessEntities $
searchAccessEntities ) )
=====================================================