Am 01.08.24 um 18:13 schrieb pficheux@integra.fr:
Alright, it's make more sense to me now, thank you.
Last question, I'm trying to do this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth olcAccess: {1}to * by self read
I can connect, but not read the BDD. What am I doing wrong here?
What is BDD?
"by self read" means that only the user's own entry can be read. For this the user needs to know where his/her entry is located within the DIT (Directory Information Tree).
Assuming that your base is "dc=example,dc=org" and the management access configured for "cn=manager,dc=example,dc=org" what you probably want to have is:
access to attrs=userPassword,shadowLastChange by self write by anonymous auth
access to * by "cn=operator,dc=exmaple,dc=org" manage by self read by anonymous search
Notice two things: - "cn=manager,dc=example,dc=org" does not occur within ACLs because this account is configured within slapd.conf / cn=config as almighty user for dc=example,dc=org - "cn=operator,dc=exmaple,dc=org" is a second account that is also allowed to edit the content of the DIT
While cn=manager doesn't need to exist inside the DIT (if the password is given in slapd.conf / cn=config) the second account cn=operator must exist, e.g.
dn: cn=operator,dc=exmaple,dc=org objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: operator userPassword: <HASH of the password> description: secondary management account