--On Wednesday, May 20, 2020 12:48 PM -0700 Gao gao@pztop.com wrote:
Thank you for the advises. I made a ldif like this:
dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to by dn="uid=rpuser,dc=van,dc=company,dc=com" read by * read
This will insert 2 new acls, and leave the existing ACLs. You don't want to do this. I already sent you a response on the correct way to fix the ACL statement.
Also, the above ACL set would not solve the problem. As clearly documented in slapd.access(5), ACL evaluation STOPS on the first matching access clause. The "by * none" would then block access to the RPuser to userPassword.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com