Dear colleagues,
There's a question I posted on ServerFault (https://serverfault.com/questions/1088252/a-very-simple-olcaccess-rule-doesn...), but it seems that asking my question in this mailing list would be a better idea/
So, long story short, I have a domain (let's call it `dc=example,dc=org`) .
The domain has a branch (`ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
There's a simpleSecurityObject in this domain (`uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
I need the uid=admin,*** user to have full (manage) access to the ou=users,*** branch, so I added the following olcAccess record: `to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"`.
It has added to the default set of rules: ``` dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none olcAccess: {3}to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc= infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" manage ```
But something seems to be wrong. When I run `ldapsearch -D uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org -W -b ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`, I get the following result: ``` # extended LDIF # # LDAPv3 # base <ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1 command terminated with exit code 32 ```
The object is actually available and `cn=admin,dc=example,dc=org` can see it without any difficulties, so it seems that my access rule is wrong. But what exactly it is?
It seems that the default rule #2 (`{2} to * by self read by dn="cn=admin,dc=example,dc=org" write by * none`) fires up earlier than the rule I added. Does that mean that I should always add my custom rules before it?
And why does this rule has `by * none`? Doesn't it contradict the OpenLDAP documentation? "The default access control policy is allow read by all clients" (https://www.openldap.org/doc/admin24/access-control.html).
Thank you in advance.
With best regards, V.Melnyk