[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attrs=@objectClassName affects objectClass attribute

To: openldap-technical@openldap.org
Subject: Re: attrs=@objectClassName affects objectClass attribute
From: Jan-Piet Mens <jpmens.dns@gmail.com>
Date: Wed, 6 Jun 2012 17:19:39 +0200
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; bh=BvAAzhTs3KpZhgf5RchBtONjfQHPeav8MtnAsgfu3ZA=; b=Q5RgLH8Q77catJGwZ5VQj7kqAyLfQItsPJ33fXK53Phy6EafhhEBnX8Kpr5Xj8W27o Sjyf0XsKY7n7lFw+gFFptj23KBPVjt3vQON8rWtdURV1+q5W46YjHBd2b0KDJndQMbVz zTXg/4VU/dbaO249fjlRWPIR/NDYFE6Tj71Oi7hpIN+EvFHVj9MMsu9IyvHvhwY+5Vr4 gb3wrvq4RHVYFw0rov0OlsxtLU8Y0ryjrTc0xbh3FkYHSRto/YVrjs2eOUcAclpO8KfT 3WnWAp0xg/wTCGMx9GNXn9OecnbM6+QzQnSF221mOiriT9G+zIjFR7gQzruAL+IF3nrf 4JIQ==
In-reply-to: <4FCF6BCB.7050807@eurobjects.com>
References: <4FCF6BCB.7050807@eurobjects.com>
User-agent: vim (7.2)/Mutt (1.5.21)

> access to dn.subtree="ou=people,dc=example,dc=com"
> attrs=@entryAccessEntities
> 
> but strangely this ALSO changes the privileges for the objectClass
> attribute of the entry!

I can confirm that's happening here with same OpenLDAP version. I've
been banging my head all afternoon trying to find my own typo...


My ACL looks like this:

access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
        by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
        by anonymous auth
        by self none
        by * none

That hides the objectClass type.

        $ ldapsearch -x -LLL uid=f2
        dn: uid=f2,ou=Users,dc=mens,dc=de
        uid: f2
        cn: Joe Guest
        gecos: Joe Guest
        gidNumber: 4
        homeDirectory: /home/f2
        loginShell: /bin/bash
        sn: Guest
        uidNumber: 902

> If I list the attrs of that object class instead, there is no problem:

ACK.  If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
attributes, the objectclass type reappears.

        -JP

Follow-Ups:
- Re: attrs=@objectClassName affects objectClass attribute
  - From: Howard Chu <hyc@symas.com>

References:
- attrs=@objectClassName affects objectClass attribute
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Wildcard and Internal Domain
Next by Date: Re: Wildcard and Internal Domain
Index(es):
- Chronological
- Thread