--On Friday, September 06, 2013 11:52 AM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:45 AM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com wrote:
Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.
Did you mean to paste your rules in here and forget? ;)
--Quanah
Yep. had a hungry child calling me while I was trying to get this out.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
As you have no break clause, this is the only ACL that ever applies. Since there is no anonymous read access to userPassword, it is impossible to authenticate as any user. Thus your inability to authenticate any user is entirely caused by your broken ACLs.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration