access to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities
but strangely this ALSO changes the privileges for the objectClass attribute of the entry!
I can confirm that's happening here with same OpenLDAP version. I've been banging my head all afternoon trying to find my own typo...
My ACL looks like this:
access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write by anonymous auth by self none by * none
That hides the objectClass type.
$ ldapsearch -x -LLL uid=f2 dn: uid=f2,ou=Users,dc=mens,dc=de uid: f2 cn: Joe Guest gecos: Joe Guest gidNumber: 4 homeDirectory: /home/f2 loginShell: /bin/bash sn: Guest uidNumber: 902
If I list the attrs of that object class instead, there is no problem:
ACK. If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of attributes, the objectclass type reappears.
-JP