On 6/9/23 21:39, Quanah Gibson-Mount wrote:
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
This is the full ACL I was using: to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
This lacks context, which I also noted was necessary.
There's zero information on:
a) what database this ACL is applied to, could be the cn=config db for all I know b) what ACLs may precede it that would take precedent.
--Quanah
I forgot this information; I am sorry for that. I hope that this will include the necessary information.
a) All ACLs apply to "olcDatabase={2}mdb,cn=config", and there is only one mdb database on this server.
b) I currently have 2 ACLs:
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0} to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcAccess olcAccess: {1} to dn.subtree="dc=example,dc=local" by users read
c) And the dynlist module configuration is the following:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}dynlist.la olcModulePath: /usr/lib64/openldap
dn: olcOverlay={0}dynlist,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcDynListConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member