--On Sunday, August 27, 2023 9:20 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
On 8/27/23 19:01, Marc wrote:
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
I think the problem is this rule. You specify 'by * none break', which means that evaluation is not stopped if this rule does not match. Because of that, the later rules for user 'yyyy' do match and 'yyyy' can read the 'userPassword' attribute.
You would have to specify a separate rule for 'userPassword' without 'break', something like this:
olcAccess: {1} to attrs=userPassword by self read by anonymous auth
Well done Souji! Thanks that seems to be working better, and I can remove these redundant read - search combinations!
Yes, two things to keep in mind:
a) "by * none" is implicit in every ACL statement b) Adding "break" to it means that the rest of the ACLs continue processing.
As for the frontend ACL bit, I strongly advise only having those first 2 ACLs present there, otherwise they apply to every database on the server. It's better to locate ACLs in the databases they are meant for.
Examples:
dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to dn.base="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword by self write by anonymous auth olcAccess: {1}to * by self write by sockurl.exact="^ldapi:///$" write by users read
dn: olcDatabase={2}monitor,cn=config olcAccess: {0}to * by * read
etc.
--Quanah