My ACL looks like this:
access to attrs=userPassword,userPKCS12,shadowLastChange,@krbPrincipalAux,@krbTicketPolicyAux
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAPadmins,ou=Groups,dc=mens,dc=de" write
by anonymous auth
by self none
by * none
That hides the objectClass type.
$ ldapsearch -x -LLL uid=f2
dn: uid=f2,ou=Users,dc=mens,dc=de
uid: f2
cn: Joe Guest
gecos: Joe Guest
gidNumber: 4
homeDirectory: /home/f2
loginShell: /bin/bash
sn: Guest
uidNumber: 902
If I list the attrs of that object class instead, there is no problem:
ACK. If I replace @krbPrincipalAux,@krbTicketPolicyAux by their list of
attributes, the objectclass type reappears.
-JP