I would like to allow users to ldapmodify a few of their attibutes ... sshPublicKey,gecos ..
This does not appear to do the trick:
0-14:08 djh@ldap0 ~$ *sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b > cn=config '(olcDatabase={1}hdb)' olcAccess* dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read olcAccess: {3}to attrs=sshPublicKey,gecos by self write
Why? I would guess the {2} rule "to * by * read" has precedence.
As I understand it, if I wanted to re-order those rules, I would delete and rewrite the rules. This would require me to delete the rule that gives admin the access to write the rules in the first place ... sounds like a way to lock myself out of my LDAP database?
So, my guess is that I want and LDIF like so:
dn: olcDatabase={1}hdb,cn=config changetype: modify remove: olcAccess olcAccess: {3}to attrs=sshPublicKey,gecos by self write - add: olcAccess olcAccess: {2}to attrs=sshPublicKey,gecos by self write - add: olcAccess olcAccess: {3}to * by dn="cn=admin,dc=example,dc=com" write by * read - remove: olcAccess olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
If I run this as cn=admin then it should:
1) Remove ineffective {3} 2) Add an effective {2} (now there are two {2}s..) 3) Add a new {3} to match incumbent {2} 4) Remove incumbent {2}
I shouldn't lock myself out because I add a new rule for admin access before deleting the old rule, and as far as LDAP is superficially concerned, all these olcAccess attributes are just unique records, so the conflicting number rules aren't going to be a problem .. ?
Am I on the right track?
Thanks, -danny