I had to add objectClass to Dan's example to get this to work. Not sure if this is the correct approach though.
access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read by * break
[1] https://www.openldap.org/faq/data/cache/429.html
-----Original Message----- To: openldap-technical Subject: Acl attribute access
If I have this acl: to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
I can access with this ldap search: ldapsearch -LLL -W -s sub -b "sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaa aa,dc=local" -D "uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=local" -H ldaps://ldap.local sendmailMTAKey
If I change the acl to to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" attrs="sendmailMTAKey" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
The ldapsearch is not returning any object. How to resolve this?