I am facing the following problem (with v2.4.31 on CentOS 5.8).
I am using a - recently added - custom schema with one AUX objectclass and 3 optional attrs; I am trying to use an ACL of the form:
access to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities by group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
but strangely this ALSO changes the privileges for the objectClass attribute of the entry!
If I list the attrs of that object class instead, there is no problem:
access to dn.subtree="ou=people,dc=example,dc=com" attrs=writeAccessEntities,readAccessEntities,searchAccessEntities by group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
Now, the ACL works correctly, and it does not affect the entry objectClass attribute.
Surprisingly, this does not happen with other object classes. If I use, for example:
access to dn.subtree="ou=people,dc=example,dc=com" attrs=@eduPerson by group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
then, it correctly assigns privileges to only the attrs of eduPerson object class (also an AUX class with only optional attrs), without affecting the entry objectclass attribute.
Does anyone have an idea what is happening? Am I doing anything wrong?
Any help will be appreciated.
For reference I include the schema below.
Note: I am using dynamic config, but I have listed schema and ACLs in their "standard" form, for better readability.
Thanks, Nick
===================================================== entryaccess.schema =====================================================
attributetype ( 1.3.6.1.4.1.39349.4.1.11 NAME 'writeAccessEntities' DESC 'DNs of Groups which should be allowed write (full) access to this entry' SUP distinguishedName ) attributetype ( 1.3.6.1.4.1.39349.4.1.12 NAME 'readAccessEntities' DESC 'DNs of Groups which should be allowed read (read-only) access to this entry' SUP distinguishedName ) attributetype ( 1.3.6.1.4.1.39349.4.1.13 NAME 'searchAccessEntities' DESC 'DNs of Groups which should be allowed search (search-only) access to this entry' SUP distinguishedName )
objectclass ( 1.3.6.1.4.1.39349.4.2.101 NAME 'entryAccessEntities' DESC 'Allow access to the entry, to which this class is added, to the entities specified as the values (DNs) of this class attributes' SUP top AUXILIARY MAY ( writeAccessEntities $ readAccessEntities $ searchAccessEntities ) )
=====================================================