I have client that coredumps with these acl's. When I remove them, the
client is getting data from the ldap server and I can see the queries it
is doing on the server. I thougt the lines below would give access to
ou=Services and below by test, but I guess not.
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0} to dn.exact="" by * read
olcAccess: {1} to dn.exact="cn=Subschema" by * read
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self
read by ssf=256 anonymous auth by * none
olcAccess: {3} to dn.exact="ou=Services,dc=example,dc=local"
attrs="children" by dn.exact="cn=test,ou=Hosts,dc=example,dc=local"
ssf=64 read by * break
olcAccess: {4} to dn.children="ou=Services,dc=example,dc=local" by
dn.exact="cn=test,ou=Hosts,dc=example,dc=local" ssf=64 read
olcAccess: {5} to * by * none
acl_mask: access to entry "name=asdf,ou=Services,dc=example,dc=local",
attr "bla" requested
acl_mask: access to entry "ou=Services,dc=example,dc=local", attr
"entry" requested
I guess I should grep the log for the acl_mask entries not? What would
be an adviced procedure to do this? I also do not want to get a huge
list of acls for just one client type. Everything below
"ou=Services,dc=example,dc=local" is test to read. (No password
attributes stored there)