Hi all,
sorry for this second post.
I have a "supervision" account on all my ldap servers. With the plugin nagios , it check the synchro. I would like this account read only contextcsn at the top (dc=fr).
And only contextcsn not the other entries.
Quanah helped me (and thanks again) but it not seems to work. It's my bad, I don't see something...
In the log it seems that "supervision" can't access dc=fr and it starts browsing from dc=gouv,dc=fr.
Without rule#3, it's ok because of rule #5.
But with rule#3 it's supposed to match contextCSN ?!
Thanks guys.
PS : "supervision" is in "Comptes Admin"
Here are my ACL :
# 1) Admin's branch
access to dn.subtree="ou=Comptes Admin,dc=fr"
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by self auth
by users auth
by anonymous auth
# 2) userPassword accessible by all
access to * attrs=userPassword
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by users auth
by anonymous auth
by * none
# 3) ********* CONTEXTCSN *********
access to dn.base="dc=fr" attrs=entry,children,contextcsn
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read
by * none
# 4) Certificate
access to * attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by * none
# 5) Branch dc=gouv,dc=fr
access to dn.subtree="dc=gouv,dc=fr"
by dn.subtree="ou=Comptes Clients,dc=fr" read
by dn.subtree="ou=Comptes Admin,dc=fr" write
by * none
# 6) All the tree
access to *
by dn.exact="cn=root,dc=fr" write
by dn.subtree="ou=Comptes Admin,dc=fr" read
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by self none
by users none
by anonymous none
by * none