Hi Quanah, 

Thanks for the clarification. 

I have added as below 

+++

olcAccess: {1}to dn.subtree="dc=ldapprod,dc=com" by dn="cn=a
 dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,

 dc=ldapprod,dc=com" write by dn="uid=repluser,

 dc=ldapprod,dc=com" read by dn="uid=replmonitor,

 dc=ldapprod,dc=com" read by * none

+++

Now the user replmonitor has admin privilege, where it can list all cn ,. I have tried adding attrs=contextcsn , but no luck. Could you please guide me, how can i restrict this. 

Regards

K.Keerthiga

On Fri, 14 Feb 2020 at 09:12, Quanah Gibson-Mount <quanah@symas.com> wrote:

--On Friday, February 14, 2020 8:03 AM +0530 keerthi krishnan
<keerthikrishnan1369@gmail.com> wrote:


> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonym
>
>  ous auth by dn="cn=admin,dc=ldapprod,dc=com" write by dn="u
>
>  id=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,d
>
>  c=ldapprod,dc=com" read by * none
>
> olcAccess: {1}to dn.subtree="dc=ldappro,dc=com" by dn="cn=a
>
>  dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com"
> write by 
>
> dn="uid=repluser,dc=ldapprod,dc=com" read by * none
>
> olcAccess: {2} to dn.subtree="dc=ldapprod,dc=com" attrs=contextCSN by
> dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none       
> =======> newly added

Hi,

As documented in the slapd.access(5) man page, ACL processing stops on the
first matching rule. Since rule {1} covers access to all attributes except
userPassword, your query for contextCSN matches rule {1} and rule {2} never
fires.

You probably want to move access rule {2} to be in front of {1}, and add
additional "by" clauses to the rule to allow the admin, authuser, and
repluser access to the attr.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>