We have a setup whereby a group of users are able to create accounts
in specific OUs. This is handled by ACLs like this one:
add: olcAccess
olcAccess: to dn.exact="ou=team1,ou=accounts,dc=example,dc=org"
attrs=children by
group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write by users read by * none
-
add: olcAccess
olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org"
attrs=entry by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write by users read by * none
-
I've been asked if the people who create those accounts can edit the
passwords after the accounts have been created. I tried to do that by
changing the second access line to read:
add: olcAccess
olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org"
attrs=entry,userPassword,shadowLastChange by
group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write by users read by * none
-
Now, my problem is that this is clashing with the rule that we have
for authentication:
# Allow LDAP admin and the account concerned to modify their password,
anonymous to authenticate.
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=example,dc=org" write by anonymous auth by self write
by * none
Initially, that rule as the first of the olcAccess rules. I thought in
advance that that was going to block the writes to userPassword &
shadowLastChange in subsequent rules, so I moved it to after the rules
that covered creating those accounts.
Authentication then broke :-(
I can't just add
by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write
to the primary olcAccess rule because that will allow members of
"account-mgrs-non-staff" to change the password on ANY account, which
I cannot allow. It must only be to specific OUs.
How do I fix this clash between the rules, please?
Thanks.
Philip