--On Wednesday, August 2, 2023 2:13 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
a) ACLs are contextual
I am just appending this to an existing 'standard' type of acl
to dn.subtree="dc=local" filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) by ssf=64 dn.exact="cn=cron,dc=local" read
I will repeat that ACLs are contextual. Providing a single ACL w/o the entire set of ACLs in use for context is not useful. You could enable ACL level debugging with slapd to see what permissions are being sought during the search to discover why it no longer returns any objects. Since your filter breaks it, clearly your search requires access to more than those two objectClasses.
As an aside, (&(objectClass=*)) should just be shortened to (objectClass=*).
--Quanah