Bill,
The slapacl command can help here. It analyzes permissions granted by the ACLs and if the -d -1 option (debugging) is included with the command it will tell which ACL is processed that grants what permission. That will help you identify why your user isn't being granted the permissions you expect. Below are a couple examples. You can craft your own slapacl command from them.
slapacl -f /usr/local/etc/openldap/slapd.conf -v \ -U bjorn -b "o=University of Michigan,c=US" \ "o/read:University of Michigan"
Tests whether the user bjorn can access the attribute o of the entry o=University of Michigan,c=US at read level
slapacl -f slapd.conf -v -D "cn=Belle Moxley,ou=Accounting,dc=example,dc=com" -b "cn=Andre Grills,ou=Janitorial,dc=example,dc=com" telephoneNumber/read fax/read facsimileTelephoneNumber/read
Tests whether a user from Accounting can access telephone and fax number attributes for a user in Janitorial.
Let me know if you need further assistance. Jason Trupp Symas Corporation (855) LDAP-GUY
-----Original Message----- From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of Bill Bradford Sent: Thursday, August 30, 2018 2:17 PM To: openldap-technical@openldap.org Subject: Problem with ACLs
Trying to give a single user "read only" access to everything in the database including userPassword info.
Here's the LDIF file I'm using w/ldapmodify:
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=domain,dc=com" write by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=domain,dc=com" write by * read
However, authenticating as uid=romanager,ou=Users,dc=domain,dc=com lets that user read his own password hash, but nobody else's. In other words it's authenticating just like any other user, and it's as if the
by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
line is being ignored. The change is being applied as I've looked at the database files for the config. I've tried restarting slapd, etc.
Any suggestions?
@(#) $OpenLDAP: slapd 2.4.44 (Aug 4 2017 14:23:27) $
Bill
-- Bill Bradford Houston, Texas USA