Am Mittwoch 03 November 2010, 09:52:26 schrieb Benjamin Griese:
Hello Ralf,
[..]
In the meantime I set the ACL, but unfortunatly it didn't help solving the problem, you may take a look at my example:
DN: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=ldapadm,dc=example,dc=de" write by dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" read by anonymous auth by self write by * none olcAccess: {1} to dn.base="" attrs=supportedControl val/objectIdentifierMatch=1.2.840.113556.1.4.473 by * none olcAccess: {2} to dn.base="" attrs=supportedControl val/objectIdentifierMatch=2.16.840.1.113730.3.4.9 by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to * by dn="cn=ldapadm,dc=example,dc=de" write by * read
If I remember right {4} is not opening up the access when it is explicitly denied in the ACLs {1} & {2}, am I right?
Yes, you are right.
But I'm not sure if this is the right place for this kind of ACL, cn=config instead should be wrong too I guess.
It has to be in the global ACL, i.e. you have to add it to olcDatabase={-1}frontend,cn=config.
Bye, Benjamin.
[..]
Ralf