--On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot
yes, I understand the processing order. So something like this should
work, right ?
No. All access to userPassword is stopped by your very first ACL, no
further ACLs for it will apply, as I already stated. Again, ACL processing
STOPs at the FIRST matching rule. Additionally, a replication user only
needs read access to read data off the master. It does not need explicit
write access to its local db.
olcAccess: to attrs=userPassword by anonymous auth
olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
olcAccess: to attrs=userPassword by self write by * none
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
users read by * none
So in the above, any and all access to userPassword STOPs at the "by
anonymous auth access". Any other type of request for access to
userPassword will be denied.
You most likely want something more like:
olcAccess: to attrs=userPassword by anonymous auth by self write by
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users
read by * none
This appears to encapsulate the permissions you're trying to set up in the
Note that a "user" is *any* identity that succesfully authenticated to the
LDAP server, so the "rpuser" is already covered in the "to *" access
by the rule "by users read".
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: