We have a setup whereby a group of users are able to create accounts in specific OUs. This is handled by ACLs like this one:
add: olcAccess olcAccess: to dn.exact="ou=team1,ou=accounts,dc=example,dc=org" attrs=children by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write by users read by * none - add: olcAccess olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org" attrs=entry by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write by users read by * none -
I've been asked if the people who create those accounts can edit the passwords after the accounts have been created. I tried to do that by changing the second access line to read:
add: olcAccess olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org" attrs=entry,userPassword,shadowLastChange by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write by users read by * none -
Now, my problem is that this is clashing with the rule that we have for authentication:
# Allow LDAP admin and the account concerned to modify their password, anonymous to authenticate. add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=org" write by anonymous auth by self write by * none
Initially, that rule as the first of the olcAccess rules. I thought in advance that that was going to block the writes to userPassword & shadowLastChange in subsequent rules, so I moved it to after the rules that covered creating those accounts.
Authentication then broke :-(
I can't just add
by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write
to the primary olcAccess rule because that will allow members of "account-mgrs-non-staff" to change the password on ANY account, which I cannot allow. It must only be to specific OUs.
How do I fix this clash between the rules, please?
Thanks.
Philip