> access to dn.subtree="ou=people,dc=example,dc=com"
> attrs=@entryAccessEntities
>
> but strangely this ALSO changes the privileges for the objectClass
> attribute of the entry!
I can confirm that's happening here with same OpenLDAP version. I've
been banging my head all afternoon trying to find my own typo...
My ACL looks like this:
access to
attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
write
by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
by anonymous auth
by self none
by * none
That hides the objectClass type.
$ ldapsearch -x -LLL uid=f2
dn: uid=f2,ou=Users,dc=mens,dc=de
uid: f2
cn: Joe Guest
gecos: Joe Guest
gidNumber: 4
homeDirectory: /home/f2
loginShell: /bin/bash
sn: Guest
uidNumber: 902
> If I list the attrs of that object class instead, there is no problem:
ACK. If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
attributes, the objectclass type reappears.
-JP
