Hi Quanah,
Thanks for your reply.
Please find the requirements and permission
++++++++++++++++++++
We have setup of master and slave replication, where we have two users admin(default), authuser and repluser for replication which has full admin privilege.
I am trying to create a new user “replmonitor” which I want to give access only to attribute contextCSN .
Replmonitor user
++++
# replmonitor, ldapprod.com dn: uid=replmonitor,dc=ldapprod,dc=com objectClass: simpleSecurityObject objectClass: account uid: replmonitor description: LDAP rreplication monitor userPassword:: ######################
++++
This is the complete olcaccess for the users in olcDatabase={3}mdb.
++
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by dn="cn=admin,dc=ldapprod,dc=com" write by dn="u
id=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,d
c=ldapprod,dc=com" read by * none
olcAccess: {1}to dn.subtree="dc=ldappro,dc=com" by dn="cn=a
dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com" write by
dn="uid=repluser,dc=ldapprod,dc=com" read by * none
olcAccess: {2} to dn.subtree="dc=ldapprod,dc=com" attrs=contextCSN by dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none =======> newly added
olcLimits: {0}dn.exact="uid=repluser,dc=ldapprod,dc=com" tim
e.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimite
d
olcLimits: {1}dn.exact="uid=authuser,dc=ldapprod,dc=com" tim
e.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimite
d
olcSecurity: tls=1 ++
++++++++++++++++++
[root@devldap cn=config]# ldapsearch -x -H ldaps://10.0.0.1 -D "uid=replmonitor,dc=ldapprod,dc=com" -W -b "ldapprod,dc=com" contextCSN
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=ldapprod,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
Please help me, what I am missing here that I am not able to query the ContextCSN .
Got struck for a complete day.
On Fri, 14 Feb 2020 at 03:21, Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, February 13, 2020 5:50 PM +0530 keerthi krishnan keerthikrishnan1369@gmail.com wrote:
access to dn.base="dc=domain,dc=com" attrs=entry,children,contextcsn by dn.exact="uid=replmonitor,dc=domain,dc=com" read by * none
Access statements without the context of the full configuration provide no real information that can be acted upon the majority of the time. I would also note that "by * none" at the end of an ACL is implicit, as discussed in the slapd.access(5) man page, so there is no reason to explicitly list it.
If you want help with your ACLs, you need to provide your configuration (minus passwords).
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com