On Thu, 12 Jun 2008, Sven Buchstaller wrote:
i need an user "it" they can modify on my ldap the passwords for all users. atm my settings in the acl.conf are: [cut] can i do like this: access to dn.subtree="ou=users,dc=server1,dc=intern" by self write by dn="uid=intern,ou=users,dc=server1,dc=intern" by * read by dn="uid=it,ou=users,dc=server1,dc=intern" by * write
1. best practice is to write "dn.exact" if that's your intention. 2. you have no <access> fields for uid=intern nor uid=it. 3. two "by *" rules are irrelevant, only one can fire (in the absence of any <control> fields) 4. most most most importantly, order matters. so those last two lines are never reached, "by * read" matches all first.
Please read slapd.access(5) man page entirely and carefully.