Ok, I thought the rule matched if "by" also matched. Thanks to light it.
I apply the olcAccess you proposed.
I still have the problem of deletion of "dc=foo,dc=bar" tree on node2, for example when I add a user on node1. Any idea why ?
--On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot <firstname.lastname@example.org> wrote:
yes, I understand the processing order. So something like this should
work, right ?
No. All access to userPassword is stopped by your very first ACL, no further ACLs for it will apply, as I already stated. Again, ACL processing STOPs at the FIRST matching rule. Additionally, a replication user only needs read access to read data off the master. It does not need explicit write access to its local db.
olcAccess: to attrs=userPassword by anonymous auth
olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
olcAccess: to attrs=userPassword by self write by * none
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
users read by * none
So in the above, any and all access to userPassword STOPs at the "by anonymous auth access". Any other type of request for access to userPassword will be denied.
You most likely want something more like:
olcAccess: to attrs=userPassword by anonymous auth by self write by dn.exact="uid=rpuser,dc=foo,dc=bar" read
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none
This appears to encapsulate the permissions you're trying to set up in the above.
Note that a "user" is *any* identity that succesfully authenticated to the LDAP server, so the "rpuser" is already covered in the "to *" access line by the rule "by users read".
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: