Ok, I thought the rule matched if "by" also matched. Thanks to light it.
I apply the olcAccess you proposed.
I still have the problem of deletion of "dc=foo,dc=bar" tree on node2, for example when I add a user on node1. Any idea why ?
Thanks,
Regards,
Vincent
Le 13/01/2020 à 17:24, Quanah Gibson-Mount a écrit :
--On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot vincent.ducot@rubycat.eu wrote:
Hi,
yes, I understand the processing order. So something like this should work, right ?
No. All access to userPassword is stopped by your very first ACL, no further ACLs for it will apply, as I already stated. Again, ACL processing STOPs at the FIRST matching rule. Additionally, a replication user only needs read access to read data off the master. It does not need explicit write access to its local db.
olcAccess: to attrs=userPassword by anonymous auth olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write olcAccess: to attrs=userPassword by self write by * none olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none
So in the above, any and all access to userPassword STOPs at the "by anonymous auth access". Any other type of request for access to userPassword will be denied.
You most likely want something more like:
olcAccess: to attrs=userPassword by anonymous auth by self write by dn.exact="uid=rpuser,dc=foo,dc=bar" read olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none
This appears to encapsulate the permissions you're trying to set up in the above.
Note that a "user" is *any* identity that succesfully authenticated to the LDAP server, so the "rpuser" is already covered in the "to *" access line by the rule "by users read".
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com