Re: Replication account problem

--On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot <vincent.ducot(a)rubycat.eu&gt; wrote: > > Hi, > > yes, I understand the processing order. So something like this should > work, right ? No.  All access to userPassword is stopped by your very first ACL, no further ACLs for it will apply, as I already stated.  Again, ACL processing STOPs at the FIRST matching rule.  Additionally, a replication user only needs read access to read data off the master.  It does not need explicit write access to its local db. > olcAccess: to attrs=userPassword by anonymous auth >  olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write >  olcAccess: to attrs=userPassword by self write by * none >  olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by > users read by * none So in the above, any and all access to userPassword STOPs at the "by anonymous auth access".  Any other type of request for access to userPassword will be denied. You most likely want something more like: olcAccess: to attrs=userPassword by anonymous auth  by self write  by dn.exact="uid=rpuser,dc=foo,dc=bar" read olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none This appears to encapsulate the permissions you're trying to set up in the above. Note that a "user" is *any* identity that succesfully authenticated to the LDAP server, so the "rpuser" is already covered in the "to *" access line by the rule "by users read". --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>