Jan-Piet Mens wrote:
access to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities
but strangely this ALSO changes the privileges for the objectClass attribute of the entry!
I can confirm that's happening here with same OpenLDAP version. I've been banging my head all afternoon trying to find my own typo...
Don't inherit from top.
My ACL looks like this:
access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write by anonymous auth by self none by * none
That hides the objectClass type.
$ ldapsearch -x -LLL uid=f2 dn: uid=f2,ou=Users,dc=mens,dc=de uid: f2 cn: Joe Guest gecos: Joe Guest gidNumber: 4 homeDirectory: /home/f2 loginShell: /bin/bash sn: Guest uidNumber: 902If I list the attrs of that object class instead, there is no problem:
ACK. If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of attributes, the objectclass type reappears.
-JP