in 60univention-ldap-server_acl-slave we need something like (after the "access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword,..." ACL) if configRegistry['ldap/hostdn']: print ' by dn.base="%s" read' % configRegistry['ldap/hostdn'] @!@ by * none +access to attrs=entry,objectClass + by * read break + + @!@
We should find out what the sense of this rule is. this allows everybody to read every object (but only the object class without further attributes). Please check if this is still necessary, it could be legacy code for the ldap-bind-proxy-service. As well here, instead of adding exceptions to our file a new file 59foo can be defined with the following content: access to attrs=entry,objectClass by * read break
*** This bug has been marked as a duplicate of bug 49390 ***