Hi all,
On Thu, Oct 12, 2017 at 11:06:00AM -0700, Quanah Gibson-Mount wrote:
So for your back-mdb database, what one would expect is more something like:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {2}to * by * read
now the rules are:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {2}to * by * read
and a member of cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu can modify any attributes at any users under the ou=ABC Customer, EXCEPT the userPassword - when I want to modify that, I get permission error:
ldap_modify: Insufficient access (50)
Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword) Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: delete access to "uid=abc_airween,ou=ABC Customer,dc=core,dc=hdt,dc=hu" "userPassword" requested Oct 16 10:42:05 open-ldap slapd[31421]: => acl_get: [1] attr userPassword Oct 16 10:42:05 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=core,dc=hdt,dc=hu", attr "userPassword" requested Oct 16 10:42:05 open-ldap slapd[31421]: => acl_mask: to all values by "uid=abc_user1,ou=abc customer,dc=core,dc=hdt,dc=hu", (=0) Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: uid=repuser,dc=core,dc=hdt,dc=hu Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: * Oct 16 10:42:05 open-ldap slapd[31421]: <= acl_mask: [4] applying none(=0) (stop) Oct 16 10:42:05 open-ldap slapd[31421]: <= acl_mask: [4] mask: none(=0) Oct 16 10:42:05 open-ldap slapd[31421]: => slap_access_allowed: delete access denied by none(=0) Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: no more rules
How can I combine the attrs and group permissions? Should I list all attributes in rule?
Thanks,
a.