Thanks for your answer,

Rather than a replace op, you can just delete and add ACL {0} directly,

since you're not changing any of the other ACLs.

So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}?

And for olcAccess: {0} I would first create a delete operation and after that readd it again? Why is that better than I replace if I may ask?

>Is sys_allow_pw_change an actual LDAP group

>(groupofNames, groupOfUniqueNames, or groupOfMembers)

ObjectClass is posixGroup and members are saved in a memberUID field:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com

dn: cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: sys_allow_pw_change

memberUid: svc_ldap

memberUid: cupcake

gidNumber: 23923

Quanah Gibson-Mount <quanah@symas.com> hat am 17.01.2022 17:21 geschrieben:

--On Sunday, January 16, 2022 7:24 PM +0000 cupcake@domayn.ch wrote:

So I've created pwchange.ldif with the help of this serverfault post

(https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-a

dd-olcaccess-rules-to-openldap):

The post misses important points about how to do ACLs.

dn: olcDatabase={1}mdb,cn=config

changetype: modify

replace: olcAccess

Rather than a replace op, you can just delete and add ACL {0} directly,

since you're not changing any of the other ACLs.

olcAccess: {0}to attrs=userPassword

by self write

by dn="cn=admin,dc=ldap,dc=example,dc=com" manage

by

dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi

d & user/uid" write by anonymous auth

The above seems very wrong. Is sys_allow_pw_change an actual LDAP group

(groupofNames, groupOfUniqueNames, or groupOfMembers)? If so, just

standard group ACL format should work.

I.e., by dn.group="..." write

--Quanah

--

Quanah Gibson-Mount

Product Architect

Symas Corporation

Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

<http://www.symas.com>