[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: Replication problem with attributes
From: Quanah Gibson-Mount <quanah () symas ! com>
Date: 2017-11-09 15:03:35
Message-ID: 7A7A3C05C597B700ED7E116A () [192 ! 168 ! 1 ! 30]
[Download RAW message or body]
--On Thursday, November 09, 2017 12:39 PM +0100 Dennis Meyer
<snooops84(a)gmail.com> wrote:
> olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
> none
> olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain"
> write by self write by * read
> olcAccess: {2}to attrs=shadowLastChange by self write by * read
> olcAccess: {3}to * by * read
> olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="cn=admin,dc=localdomain" write by
> dn="cn=mirrormode,dc=localdomain" read by * none
ACL {4} will never be evaluated, because ACL parsing stops on the first
match, which will be ACL {3} (access to everything by anyone read). Even
if you fix that problem, ACL {4} would still be unlikely to be evaluated
due to ACL {0} as well.
> Any Ideas how could solve this?
Fix your ACLs. ;) Something like:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn="cn=admin,dc=localdomain" write by dn="cn=mirrormode,dc=localdomain" read
olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain"
write by self write by * read
olcAccess: {2}to attrs=shadowLastChange by self write by
dn="cn=admin,dc=localdomain" write by * read
olcAccess: {3}to * by dn="cn=admin,dc=localdomain" write by * read
Note that "by * none" at the end of an ACL is implicit, so it's not
required to list it explicitly.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic