On Thu, Mar 7, 2013 at 11:53 PM, Michael Ströder <michael@stroeder.com> wrote:
devzero2000 wrote:
> iirc, in ldapv3 the right thing to search is the subschemaSubentry
> attribute, as a base, of the rootDSE object.

In general each part of the DIT could have its own subschema subentry! So you
have to read attribute subschemaSubentry in the entry for which you want to
determine the schema.
Not many schema-aware clients are doing this though.

Ciao, Michael.

Thanks, but I don't think this is my problem. I think it is a permission problem. It use to be that if I used 

ldapsearch -x "uid=jd"

I would get all entries except the userPassword and shadowLastChange, but if I used: 

ldapsearch -x -W -D "cn=admin,ou=roles,dc=example,dc=com" "uid=jd" 

I would get everything, including the userPassword and shadowLastChange. Neither one show up now. Here are my permissions for these two attributes:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=shadlenlab,dc=columbia,dc=edu" write by * none

So, it looks like no one has read permissions for either attribute, if I am reading this correctly. I don't need to read the userPassword, but I do need to be able to read shadowLastChange. Can someone help me understand how to change olcAccess so that admin can read shadowLastChange using ldapmodify? I am finding the documentation on this extremely opaque.

thanks,
maria