--On Monday, January 17, 2022 5:52 PM +0100 cupcake@domayn.ch wrote:
Thanks for your answer,
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}? And for olcAccess: {0} I would first create a delete operation and after that readd it again? Why is that better than I replace if I may ask?
Yes, you can use the weight in a delete op, like
ldapmodify ... dn: ... delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}access to ...
I would say it's better than replace for a few reasons. The largest being less likely of end user error (typos, etc).
You can also do the same sort of thing to insert ACLs, like
ldapmodify ... dn: .... add: olcAccess olcAccess: {1}access to ...
Would put a new ACL at {1} and increment all subsequent ACLs to preserve order.
Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)
ObjectClass is posixGroup and members are saved in a memberUID field:
Generally I'd advise using LDAP groups not *nix posixgroups for managing LDAP access.
I would also note that "memberUID" can be problematic if you end up with multiple entries with the same UID, an issue that DN based LDAP groups cannot encounter.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com