--On Monday, January 30, 2017 7:08 PM -0700 scar scar@drigon.com wrote:
However, this brings me to the next problem: the contents of slapd.conf do not match the slapd.d/cn=config.ldif file, so it seems the fixes i am trying to the ACL's don't have any effect, even when i restart slapd. If i try "ldapmodify -nv" it just hangs. When i try to stop slapd and remove slapd.d/* and then start slapd, the contents are recreated according to the config file, but then users can't login (all i see in the logfile is access_allowed and slap_access_allowed but no conn lines)
If you are using the configuration backend for slapd, then you can ignore the slapd.conf file entirely, and simply use the ldapmodify command to modify your access rules. I suggest reading the ldapmodify manual page for information on how to properly execute it. If you are using a distribution provided build of OpenLDAP, the necessary steps may depend on how they configured things.
I would note that the rootdn is never subject to ACLs (as documented in the slapd.access(5) man page). So there is no point in listing it in ACLs.
I would note that your final acl:
"access to * by dn="uid=ldapadmin,dc=X,dc=Y,dc=Z" read"
will never be applied, since ACL processing stops on the first matching acl (As noted in the slapd.access(5) man page), and the ACL immediately preceeding it already covers "access to *".
I would note that your next to last ACL has also has items that would never be processed, specifically the "by * auth", since the "by * read" takes precedence. You don't provide any information on what identit(y/ies) you want to be able to modify the userPassword attribute, so it's difficult to help you further.
Hopefully this is enough information to help you have forward progress. :)
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com