Ok, I found my problem: I was ldap-searching for uid=username, but did not realise that since uid is also defined in acmeUserAccount, its restricted everywhere. If I would search for cn=username, that would work with access to attrs=@acmeUserAccount. That means I would get results form the unix tree.
So, sorry for bothering you, and thanks a lot for helping me think with this discussion ;-)
Isaac
On 11/17/2010 06:54 PM, Quanah Gibson-Mount wrote:
--On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin hailperin@zib.de wrote:
access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
That works without sideeffects. Thank you :-) But I still don't understand why 2 has side effects.
@acmeUserAccount by itself is going to affect access to all the attributes that are in that objectClass. It's really just shorthand for that list of attributes in that objectClass. So if you used the some of the same attributes in your other tree, they would be affected as well. By adding the specific subtree restriction, then you no longer affect those attributes elsewhere.
--Quanah