RE: restricting acls more by adding a filter

Hi Sean, Your search helped me a bit tracking this down currently I am testing with something like this

to dn.subtree="dc=local" filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) by ssf=64 dn.exact="cn=cron,dc=local" read

to dn.subtree="dc=local" by ssf=64 dn.exact="cn=cron,dc=local" search

I'm wondering if a "search" privilege needs to be granted somewhere and "(objectClass=*)" is a a loophole that bypasses the need for the "search" privilege. What happens if you say "filter=(&(objectClass=*))" ?

Sean.

On 1/08/2023 10:34 pm, Marc wrote:

I have a ldapsearch that returns this object

sendmailMTAClassName: w
sendmailMTAClassValue: xxx
sendmailMTAClassValue: yyy
sendmailMTAClassValue: zzz
objectClass: sendmailMTA
objectClass: sendmailMTAClass

I thought I could strengthen the acl by just appending to with a

filter

but if I add these below, the ldapsearch does not return anything

err=32

filter=(objectClass=sendmailMTAClass)
filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA))
filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA))
filter=(objectClass=sendmailMTA*)

If I change the filter to this, I get the expected result again

filter=(objectClass=*)

Goal is to have ldapsearch only list the specific objectClasses. Or

should I do this with listing only attributes.