Hello all,
We are currently migrating from a master-slave, to a multi-master setup. All went well except for the fact that the access on the old master node was more liberal then the access on the slave node. As a result some applications were able to use this to their advantage and now are not working quite correctly when each node is a read write master.
here is my configuration:
#access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" # attrs=userPassword,accountstatus # by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break access to attr=userPassword by self write by anonymous auth by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by self write by * none access to * by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" write by dnattr=manager write by self write by users read by * none
My problem is the top commented lines, these rules are to allow sara and john to administer all "mail=.*.managed" users. This worked fine in the past because no read queries hit the master, but now with multi-master "mail=.*.managed" users have no access to the directory. The old rule was
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write stop
I also tried
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break
Which I was under the impression that "write break" would continue evaluation, but I do not understand how this is working. Can anyone help me with a suggestion for fixing this?
Thank you!