--On Monday, October 16, 2017 6:05 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
Hm, yes, that's correct. You'll need to do something like utilize by * break appropriately, or have multiple "access to userPassword" ACLs by group, then a catchall after that.
I'm sorry - could you give me an example?
Sure, no problem. :)
One way to do it is to have an access line per subtree for those attributes, adding the group permission, with a final access to just userPassword itself limiting off all other access for anything outside of those trees:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write
... Addtional subtree ACLs with groups for userPassword/shadowLastChange access...
olcAccess: {#}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {#}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {#}to * by * read
The other option is to use "by * break", which tells slapd to continue processing additional rules. If you do that, you'll need to be particularly careful not to give access beyond what you intended. For that purpose, I added a final ACL rule that says zero access to userPassword prior to the "* by * read" ACL.
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * break olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read ... Additional subtree ACLs with groups ... olcAccess: {#} to userPassword by * none olcAccess: {#}to * by * read
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com