Re: ACL needed write privilege to all subtree of "dc=exadel,dc=com"

Andrei Valoshyn wrote:

Currently I have ACL in my slapd.conf file:

access to attrs=userPassword,userPKCS12 by self write by * auth [..] I need write privilege for my group. I made some changes: [..] After that users from LDAP_admins group can edit all. But our Password Change System, where users can change their passwords stopping work properly because users can't login.

Disclaimer: I won't analyse your e-mails in detail.

Most likely the "by * auth" in the first ACL is not reached anymore.

Things to consider when writing ACLs:

1. Order is significant

2. Each ACL ends with an implicit <who> clause "by * none" => processing stops if not explicitly passed on with "break".

Ciao, Michael.