From: "Quanah Gibson-Mount" quanah@symas.com olcAccess: {1}to dn.base="" by * read This is an ACL that is meant to go into the frontend DB, not the primary DB.
I remembered set that one so that ApacheDirectoryStudio (or other GUI) could read the RootDSE, but now you make me wonder ...?
olcAccess: {3}to dn.subtree="dc=mydomain,dc=fr" by dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * break This ACL will never be used, since ACL{2} already covers your entire tree.
ACL{2} is dn.base not subtree : olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read
for me it not a subtree acces, but just a "one level" => dn.base , the object dc=mydomain,dc=fr itself (again for GUIs) but If I am wrong on that interpretation, you are right, then it allow access to everything to everyone :-( ! . please confirm
olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * none
you are right I should move UP {4} above {3} , but {3} is just a line for dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read , then by * there is a break !
Same as #3. olcAccess: {5}to * by self read by * none Same as #3. In practice, you only have two functioning ACLs with what you provided:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
- break
olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read Probably most critical, you've given everyone, including anonymous, read access to the userPassword attribute of every account in your tree.
If you confirm how wrong is {2} , I must change it , indeed .
Thanks .
PS: to clarify the discussion , here's my initial post # cat olcRepConfigAccess.ldif dn: olcDatabase={3}mdb,cn=config #Database number (3) and type (mdb) might be different on your instance . changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read olcAccess: {3}to dn.subtree="dc=mydomain,dc=fr" by dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * break olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * none olcAccess: {5}to * by self read by * none
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com