Ok, I thought the rule matched if "by" also matched. Thanks to light it.

I apply the olcAccess you proposed.

I still have the problem of deletion of "dc=foo,dc=bar" tree on node2, for example when I add a user on node1. Any idea why ?

Thanks,

Regards,

Vincent

Le 13/01/2020 à 17:24, Quanah Gibson-Mount a écrit :


--On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot <vincent.ducot@rubycat.eu> wrote:


Hi,

yes, I understand the processing order. So something like this should
work, right ?

No.  All access to userPassword is stopped by your very first ACL, no further ACLs for it will apply, as I already stated.  Again, ACL processing STOPs at the FIRST matching rule.  Additionally, a replication user only needs read access to read data off the master.  It does not need explicit write access to its local db.




olcAccess: to attrs=userPassword by anonymous auth
 olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
 olcAccess: to attrs=userPassword by self write by * none
 olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
users read by * none

So in the above, any and all access to userPassword STOPs at the "by anonymous auth access".  Any other type of request for access to userPassword will be denied.

You most likely want something more like:

olcAccess: to attrs=userPassword by anonymous auth  by self write  by dn.exact="uid=rpuser,dc=foo,dc=bar" read
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none

This appears to encapsulate the permissions you're trying to set up in the above.

Note that a "user" is *any* identity that succesfully authenticated to the LDAP server, so the "rpuser" is already covered in the "to *" access line by the rule "by users read".

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>