--On Wednesday, May 20, 2020 12:48 PM -0700 Gao <gao(a)pztop.com> wrote:
Thank you for the advises. I made a ldif like this:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to by dn="uid=rpuser,dc=van,dc=company,dc=com" read by *
read
This will insert 2 new acls, and leave the existing ACLs. You don't want
to do this. I already sent you a response on the correct way to fix the
ACL statement.
Also, the above ACL set would not solve the problem. As clearly documented
in slapd.access(5), ACL evaluation STOPS on the first matching access
clause. The "by * none" would then block access to the RPuser to
userPassword.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>