Hi,

yes, I understand the processing order. So something like this should work, right ?


olcAccess: to attrs=userPassword by anonymous auth
olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
olcAccess: to attrs=userPassword by self write by * none
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none

Actually, after an object is replicated, rpuser is deleted (and also other objects of the same tree). Any idea why ?

In the log I get :

Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "dc=foo,dc=bar" "children" requested
Jan 13 16:26:33 node5 slapd[9976]: <= root access granted
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd)
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "uid=rpuser,dc=foo,dc=bar" "entry" requested
Jan 13 16:26:33 node5 slapd[9976]: <= root access granted
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd)
Jan 13 16:26:33 node5 slapd[9976]: => index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" )
Jan 13 16:26:33 node5 slapd[9976]: <= index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" ) success
Jan 13 16:26:33 node5 slapd[9976]: mdb_delete: deleted id=00000007 dn="uid=rpuser,dc=foo,dc=bar"

Thanks


Le 10/01/2020 à 23:27, Quanah Gibson-Mount a écrit :


--On Friday, January 10, 2020 5:48 PM +0100 Vincent Ducot <vincent.ducot@rubycat.eu> wrote:

a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky)

Ah, missed that.

b) I tested several possibilities but I didn't manage to make it work.
Either the problem stayed the same, either the replication didn't work
anymore, either I couldn't access to rpuser.

I understand that :


- rpuser should have read/write access to its password (to
attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write)

- rpuser should have read/write access to all data (to * by
dn="uid=rpuser,dc=foo,dc=bar" write)

Sure, but ACLs stop processing on the first matching rule.  Please review the slapd.access(5) man page.  Your ACLsforthe rpuser are never evaluated since prior rules prevent them being reached.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>