Re: attrs=@objectClassName affects objectClass attribute

[Howard Chu <hyc@symas.com>]

Jan-Piet Mens wrote:
> > access to dn.subtree="ou=people,dc=example,dc=com"
> > attrs=@entryAccessEntities
> >
> > but strangely this ALSO changes the privileges for the objectClass
> > attribute of the entry!
>
> I can confirm that's happening here with same OpenLDAP version. I've
> been banging my head all afternoon trying to find my own typo...

Don't inherit from top.

> My ACL looks like this:
>
> access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
>          by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
>          by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
>          by anonymous auth
>          by self none
>          by * none
>
> That hides the objectClass type.
>
>          $ ldapsearch -x -LLL uid=f2
>          dn: uid=f2,ou=Users,dc=mens,dc=de
>          uid: f2
>          cn: Joe Guest
>          gecos: Joe Guest
>          gidNumber: 4
>          homeDirectory: /home/f2
>          loginShell: /bin/bash
>          sn: Guest
>          uidNumber: 902
>
> > If I list the attrs of that object class instead, there is no problem:
>
> ACK.  If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
> attributes, the objectclass type reappears.
>
>          -JP


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/