--On Sunday, January 24, 2021 10:05 PM +0200 "Harri T." haba713@gmail.com wrote:
Hi,
Could someone please give an example of .ldif for granting *read-only* access on all the directory to the user "cn=query,dc=example,dc=com"?
I don't know what you mean by "an example of .ldif".
If it were slapd.conf, it would be something like:
database mdb suffix dc=example,dc=com
access to * by dn.exact="cn=query,dc=example,dc=com"
If it were a cn=config database, something like:
ldapmodify ... dn: olcDatabase={X}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to * by dn.exact="cn=query,dc=example,dc=com"
You'd need to modify "X" to be the actual database containing the data you want it to have read access on. Additionally, since this does an insert to be access rule 0, no other access rules that may be in the database would be validated.
In both cases, this ACL would most likely not be useful since it would block simple (userPassword) authentication, meaning it would be impossible to authenticate to being the "cn=query,dc=example,dc=com" user since there is no anonymous auth access to userPassword.
A more useful set of ACLs might be something like:
-- slapd.conf -- access to userPassword by anonymous auth by self write by dn.exact="cn=query,dc=example,dc=com" read
access to * by dn.exact="cn=query,dc=example,dc=com" read
-- cn=config --
olcAccess: {0}to userPassword by anonymous auth by self write by dn.exact="cn=query,dc=example,dc=com" read olcAccess: {1}to * by dn.exact="cn=query,dc=example,dc=com" read
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com