[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attrs=@objectClassName affects objectClass attribute

> access to dn.subtree="ou=people,dc=example,dc=com"
> attrs=@entryAccessEntities
> but strangely this ALSO changes the privileges for the objectClass
> attribute of the entry!

I can confirm that's happening here with same OpenLDAP version. I've
been banging my head all afternoon trying to find my own typo...

My ACL looks like this:

access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
        by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
        by anonymous auth
        by self none
        by * none

That hides the objectClass type.

        $ ldapsearch -x -LLL uid=f2
        dn: uid=f2,ou=Users,dc=mens,dc=de
        uid: f2
        cn: Joe Guest
        gecos: Joe Guest
        gidNumber: 4
        homeDirectory: /home/f2
        loginShell: /bin/bash
        sn: Guest
        uidNumber: 902

> If I list the attrs of that object class instead, there is no problem:

ACK.  If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
attributes, the objectclass type reappears.