Hi,
yes, I understand the processing order. So something like this should work, right ?
olcAccess: to attrs=userPassword by anonymous auth olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write olcAccess: to attrs=userPassword by self write by * none olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none
Actually, after an object is replicated, rpuser is deleted (and also other objects of the same tree). Any idea why ?
In the log I get :
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "dc=foo,dc=bar" "children" requested Jan 13 16:26:33 node5 slapd[9976]: <= root access granted Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd) Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "uid=rpuser,dc=foo,dc=bar" "entry" requested Jan 13 16:26:33 node5 slapd[9976]: <= root access granted Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd) Jan 13 16:26:33 node5 slapd[9976]: => index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" ) Jan 13 16:26:33 node5 slapd[9976]: <= index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" ) success Jan 13 16:26:33 node5 slapd[9976]: mdb_delete: deleted id=00000007 dn="uid=rpuser,dc=foo,dc=bar"
Thanks
Le 10/01/2020 à 23:27, Quanah Gibson-Mount a écrit :
--On Friday, January 10, 2020 5:48 PM +0100 Vincent Ducot vincent.ducot@rubycat.eu wrote:
a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky)
Ah, missed that.
b) I tested several possibilities but I didn't manage to make it work. Either the problem stayed the same, either the replication didn't work anymore, either I couldn't access to rpuser.
I understand that :
- rpuser should have read/write access to its password (to
attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write)
- rpuser should have read/write access to all data (to * by
dn="uid=rpuser,dc=foo,dc=bar" write)
Sure, but ACLs stop processing on the first matching rule. Please review the slapd.access(5) man page. Your ACLsforthe rpuser are never evaluated since prior rules prevent them being reached.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com