[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: Replication problem with attributes
From:       Quanah Gibson-Mount <quanah () symas ! com>
Date:       2017-11-09 15:03:35
Message-ID: 7A7A3C05C597B700ED7E116A () [192 ! 168 ! 1 ! 30]
[Download RAW message or body]


--On Thursday, November 09, 2017 12:39 PM +0100 Dennis Meyer 
<snooops84(a)gmail.com> wrote:


> olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
> none
> olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain"
> write by self write by * read
> olcAccess: {2}to attrs=shadowLastChange by self write by * read
> olcAccess: {3}to * by * read
> olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="cn=admin,dc=localdomain" write by
> dn="cn=mirrormode,dc=localdomain" read by * none

ACL {4} will never be evaluated, because ACL parsing stops on the first 
match, which will be ACL {3} (access to everything by anyone read).  Even 
if you fix that problem, ACL {4} would still be unlikely to be evaluated 
due to ACL {0} as well.

> Any Ideas how could solve this?

Fix your ACLs. ;)  Something like:

olcAccess: {0}to attrs=userPassword by self write by anonymous auth by 
dn="cn=admin,dc=localdomain" write by dn="cn=mirrormode,dc=localdomain" read
olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain" 
write by self write by * read
olcAccess: {2}to attrs=shadowLastChange by self write by 
dn="cn=admin,dc=localdomain" write by * read
olcAccess: {3}to * by dn="cn=admin,dc=localdomain" write by * read

Note that "by * none" at the end of an ACL is implicit, so it's not 
required to list it explicitly.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>




[prev in list] [next in list] [prev in thread] [next in thread]