Hello,
I have a problem configuring correct ACL's:
If you want to grant access to a specific attribute and allow adding the necessary object class for it, we could define:
Assuming objectClass is "O" and Attribute name is "A":
access to attrs=@O by self write by * +0 break
This works but it allows also access to any value in the "objectClass" attribute and is therefor a massive security hole.
An alternative would be, which the manpage seem to describe (https://linux.die.net/man/5/slapd.access):
access to attrs=objectClass value="O" by self write by * +0 break access to attrs=A by self write by * +0 break
But when I apply this, and want to add the object class, I simply get the INSUFFICIENT_ACCESS error code.
Maybe one can help? If it's not possible I think the manpage should be adjusted and mention this more explicit. Maye there is a exception for "objectClass"? Or it's a bug in the implementation?
Best regards spaceone