Hi Quanah,
Thanks for the clarification.
I have added as below
+++ olcAccess: {1}to dn.subtree="dc=ldapprod,dc=com" by dn="cn=a dmin,dc=ldapprod,dc=com" write by dn="uid=authuser, dc=ldapprod,dc=com" write by dn="uid=repluser, dc=ldapprod,dc=com" read by dn="uid=replmonitor, dc=ldapprod,dc=com" read by * none +++
Now the user replmonitor has admin privilege, where it can list all cn ,. I have tried adding attrs=contextcsn , but no luck. Could you please guide me, how can i restrict this.
Regards K.Keerthiga
On Fri, 14 Feb 2020 at 09:12, Quanah Gibson-Mount quanah@symas.com wrote:
--On Friday, February 14, 2020 8:03 AM +0530 keerthi krishnan keerthikrishnan1369@gmail.com wrote:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by dn="cn=admin,dc=ldapprod,dc=com" write by dn="u
id=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,d
c=ldapprod,dc=com" read by * none
olcAccess: {1}to dn.subtree="dc=ldappro,dc=com" by dn="cn=a
dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com" write by
dn="uid=repluser,dc=ldapprod,dc=com" read by * none
olcAccess: {2} to dn.subtree="dc=ldapprod,dc=com" attrs=contextCSN by dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none =======> newly added
Hi,
As documented in the slapd.access(5) man page, ACL processing stops on the first matching rule. Since rule {1} covers access to all attributes except userPassword, your query for contextCSN matches rule {1} and rule {2} never fires.
You probably want to move access rule {2} to be in front of {1}, and add additional "by" clauses to the rule to allow the admin, authuser, and repluser access to the attr.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com