OK thanks Quanah !
 I removed the "*" on ACL except for the last rule.
I don't understand : it is rejected by the last rule. Why does it not match rule #3 ? Normally it may stop at the first match ?

Here's my request and the ACL log :
ldapsearch  -x -H ldap://127.0.0.1 -b "dc=fr" -D "cn=supervision,ou=Comptes clients,dc=fr"  -s base contextCSN

Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: result not in cache (userPassword)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: auth access to "cn=supervision,ou=Comptes Clients,dc=fr" "userPassword" requested
Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [1] ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [2] attr userPassword
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "cn=supervision,ou=Comptes Clients,dc=fr", attr "userPassword" requested
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: to value by "", (=0)
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=admingdr,ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=ldapsynchro,ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: users
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: anonymous
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [4] applying auth(=xd) (stop)
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [4] mask: auth(=xd)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => slap_access_allowed: auth access granted by auth(=xd)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: auth access granted by auth(=xd)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: search access to "dc=fr" "entry" requested
Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [1] ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [3] dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [3] matched
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [3] attr entry
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "dc=fr", attr "entry" requested
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: to all values by "cn=supervision,ou=comptes clients,dc=fr", (=0)
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=ldapsynchro,ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=supervision,ou=comptes clients,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [2] applying read(=rscxd) (stop)
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [2] mask: read(=rscxd)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => slap_access_allowed: search access granted by read(=rscxd)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: search access granted by read(=rscxd)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: search access to "dc=fr" "objectClass" requested
Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [1] ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [3] dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [3] matched
Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [5] dc=gouv,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [6] attr objectClass
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "dc=fr", attr "objectClass" requested
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: to all values by "cn=supervision,ou=comptes clients,dc=fr", (=0)
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=root,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=ldapsynchro,ou=comptes admin,dc=fr
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: self
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: users
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [5] applying none(=0) (stop)
Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [5] mask: none(=0)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => slap_access_allowed: search access denied by none(=0)
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: no more rules


On Wed, Oct 24, 2018 at 5:15 PM Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Wednesday, October 24, 2018 5:17 PM +0200 Lirien Maxime
<maxime.lirien@gmail.com> wrote:

># 2) userPassword accessible by all
> access to * attrs=userPassword
>     by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
>     by users auth
>     by anonymous auth
>     by * none

This should be just access to attrs=userPassword, no need for the *.

Similar comment for some of your other ACLs using the same format.

I would generaly advise enabling "acl" level logging to see how things are
being processed so you can determine what additional access is needed or
which rule(s) are blocking access.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>