Am 02.08.24 um 10:24 schrieb pficheux@integra.fr:
Hello,
Sorry, BDD is the french word for DB.
What I'm trying to test here, is to have users permissions to modify their own password, but also the right to read others entry.
I've tried to put "break" at the end of the first ACL, but it's not working.
dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth break olcAccess: {1}to * by self read
All the info you are asking for can be found at
https://www.openldap.org/doc/admin26/access-control.html
"break" doesn't do any good here because it just stops the evaluation of attrs=userPassword,shadowLastChange BUT these attributes will be part of further evaluation.
E.g. if you have a "global" rule
olcAccess: {0}to * by "cn=operator,dc=example,dc=org" manage
that would give cn=operator (and the root user) all access but after that, the evaluation of "*" will stop.
But with
olcAccess: {0}to * by "cn=operator,dc=example,dc=org" manage break
the evaluation of "*" is done by further, more specific rules that follow.
Given "to have users permissions to modify their own password, but also the right to read others entry" you want:
dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth
olcAccess: {1}to * by users read
which gives the anonymous user the right to authenticate, the authenticated user to modify the password and any other authenticated user the right to read the DIT (but for attrs=userPassword,shadowLastChange).