Hello,
I tried to filter out everyone except cn=config when my ACL filter rule is true (a NAME type attribute matches a value), so that password authentication for filtered-out users would fail. It works for regular users, and does not for admins. Is this because my ACL rules are wrong, or is this a feature of OpenLDAP? Why no matter what I do
My LDIF is below:
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(!(serviceLevel=suspended)) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {4}to * filter=(!(serviceLevel=suspended)) by self write by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * read
Is there something special about LDAP administrator, by design?
Thank you,
Igor Shmukler