[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attrs=@objectClassName affects objectClass attribute

Jan-Piet Mens wrote:
access to dn.subtree="ou=people,dc=example,dc=com"

but strangely this ALSO changes the privileges for the objectClass
attribute of the entry!

I can confirm that's happening here with same OpenLDAP version. I've
been banging my head all afternoon trying to find my own typo...

Don't inherit from top.

My ACL looks like this:

access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
         by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
         by anonymous auth
         by self none
         by * none

That hides the objectClass type.

         $ ldapsearch -x -LLL uid=f2
         dn: uid=f2,ou=Users,dc=mens,dc=de
         uid: f2
         cn: Joe Guest
         gecos: Joe Guest
         gidNumber: 4
         homeDirectory: /home/f2
         loginShell: /bin/bash
         sn: Guest
         uidNumber: 902

If I list the attrs of that object class instead, there is no problem:

ACK.  If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
attributes, the objectclass type reappears.


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/