Damn ! my ACL don't work despites your help :-/

In the log it seems that "supervision" can't access dc=fr, it starts from dc=gouv,dc=fr.
Without rule#3, it's ok because of rule #5.
But with rule#3 it's supposed to match contextCSN

Thanks guys.

Here are my ACL  :

# 1) Admin's branch
access to dn.subtree="ou=Comptes Admin,dc=fr"
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read   
    by self auth
    by users auth
    by anonymous auth

# 2) userPassword accessible by all
access to * attrs=userPassword
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
    by users auth
    by anonymous auth
    by * none

# 3) ********* CONTEXTCSN *********
access to dn.base="dc=fr" attrs=entry,children,contextcsn
   by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
   by dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read
   by * none

# 4) Certificate
access to * attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
      by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read   
    by * none


# 5) Branch  dc=gouv,dc=fr
access to dn.subtree="dc=gouv,dc=fr"
    by dn.subtree="ou=Comptes Clients,dc=fr" read
    by dn.subtree="ou=Comptes Admin,dc=fr" write
    by * none


# 6) All the tree
access to *
    by dn.exact="cn=root,dc=fr" write
    by dn.subtree="ou=Comptes Admin,dc=fr" read
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
    by self none
    by users none
    by anonymous none
    by * none


On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
<dieter@dkluenter.de> wrote:

> Am Tue, 16 Oct 2018 15:51:50 +0200
> schrieb Lirien Maxime <maxime.lirien@gmail.com>:
>
>> Hi all,
>> thanks for reading.
>> I have a "supervision" account on all my ldap servers. With the plugin
>> nagios , it check the synchro.  I would like this account read only
>> contextcsn to check synchro. And only contextcsn not the other
>> entries. (plugin check nagios).
>> Can someone help me to write the right ACL ?
>>
>> Here what I tried but not really right :-/
>> # ContextCSN
>> access to dn.subtree="dc=fr" attrs=contextCSN
>>      by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
>>      by * none
>
> access to dn.base=dc=fr
>    attrs=entry,children,contextCSN read

I'd also be careful of doing "by * none" to the contextCSN, etc, as that
can break replication depending on the DN that binds to the master(s),
since the replication DN must be able to read the contextCSN.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>