Hello, I have a problem configuring correct ACL's:
If you want to grant access to a specific attribute and allow adding the necessary object class for it, we could define: Assuming objectClass is "O" and Attribute name is "A": access to attrs=@O by self write by * +0 break This works but it allows also access to any value in the "objectClass" attribute and is therefor a massive security hole. An alternative would be, which the manpage seem to describe (https://linux.die.net/man/5/slapd.access): access to attrs=objectClass value="O" by self write by * +0 break access to attrs=A by self write by * +0 break But when I apply this, and want to add the object class, I simply get the INSUFFICIENT_ACCESS error code. Maybe one can help? If it's not possible I think the manpage should be adjusted and mention this more explicit. Maye there is a exception for "objectClass"? Or it's a bug in the implementation? Best regards spaceone
