Hey Guys,

Is it possible to restrict some users to read,search,compare just specific attributes but still use objectclass=* as a filter?

My aci:
aci: (targetattr="uid || givenName || cn || sn || manager || mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";)

If I do a ldapsearch with this user (myuser is in the group my-group):

ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana

Returns me the user alberto.viana and the attributes that acis allows

but if I do:

ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=*
returns me nothing.


Alberto Viana