Igor Shmukler igor.shmukler@gmail.com writes:
Further, I just unsuccessfully tried one more thing: Adding another line to olcAccess for individual DIT databases, [i.e. dn: olcDatabase={1}hdb,cn=config and dn: olcDatabase={2}hdb,cn=config ] olcAccess: {3}to * by dn.exact=cn=config
Yes, that's needed.
I am still getting an error: no write access to parent.
A fragment from my slapcat(8) output: olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=directory,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=directory,,dc=com " write by * read
There is a double comma here. But the problem is that this line will always terminate the ACL processing, because "to * ... by * read" always matches.
olcAccess: {3}to * by dn.exact=cn=config
This line is never reached. Move it to the front instead:
olcAccess: {0}to * by dn.exact=cn=config olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by * read
For the consistency's sake you may want to stick either to dn.base or dn.exact (they are the same). Also, the rootDN is unaffected by ACLs, so its pointless to mention it in the rules.