Daniel Howard wrote:
I had to do it this way:
dn: olcDatabase={1}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
add: olcAccess olcAccess: {2}to attrs=sshPublicKey,gecos by self write
add: olcAccess olcAccess: {3}to * by dn="cn=admin,dc=example,dc=com" write by * read
You can not have, for example, multiple {2} so you have to delete and then add. In this case, I was using sudo to do the ldapmodify instead of admin, so no risk of lockout. What I am wondering is if this is at all like an atomic transaction: either you can apply the whole LDIF at once or not ... if it happens in one go you won't get locked out ...
In the mailing list archives I found a suggestion (no example) that you could somehow insert a rule by number ...
Read this http://www.openldap.org/lists/openldap-technical/201603/msg00057.html
The LDAP spec already says that LDAPModify is atomic. Read the specs.