Hello Uwe,

Thanks for the answer.

So, if I understand correctly, until you are authenticated, you are considered as anonymous, or sort of by the LDAP right?

And concerning the "by self write", in the example :

access to dn.children="dc=example,dc=com" by self write by group.exact="cn=Administrators,dc=example,dc=com" write by * auth

What is the purpose of this? An authenticated user can write his own entry with that?

Regards,

Gab.

Am 01.08.24 um 16:42 schrieb pficheux@integra.fr:

Hello Uwe,

Thanks for the answer.

So, if I understand correctly, until you are authenticated, you are considered as anonymous, or sort of by the LDAP right?

You are either anonymous == unauthenticated or you are authenticated against an LDAP entry. (There are some other, special cases where you are authenticated against something else but that would get too far off track right now.)

And concerning the "by self write", in the example :

access to dn.children="dc=example,dc=com" by self write by group.exact="cn=Administrators,dc=example,dc=com" write by * auth

What is the purpose of this? An authenticated user can write his own entry with that?

Yes, exactly, given that the user's entry is below dc=example,dc=com. Usually that is used like

access to attrs=userPassword by self write by anonymous auth

to allow authentication and password changes.

Regards,

Gab.

Am 01.08.24 um 18:13 schrieb pficheux@integra.fr:

Alright, it's make more sense to me now, thank you.

Last question, I'm trying to do this:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth olcAccess: {1}to * by self read

I can connect, but not read the BDD. What am I doing wrong here?

What is BDD?

"by self read" means that only the user's own entry can be read. For this the user needs to know where his/her entry is located within the DIT (Directory Information Tree).

Assuming that your base is "dc=example,dc=org" and the management access configured for "cn=manager,dc=example,dc=org" what you probably want to have is:

access to attrs=userPassword,shadowLastChange by self write by anonymous auth

access to * by "cn=operator,dc=exmaple,dc=org" manage by self read by anonymous search

Notice two things: - "cn=manager,dc=example,dc=org" does not occur within ACLs because this account is configured within slapd.conf / cn=config as almighty user for dc=example,dc=org - "cn=operator,dc=exmaple,dc=org" is a second account that is also allowed to edit the content of the DIT

While cn=manager doesn't need to exist inside the DIT (if the password is given in slapd.conf / cn=config) the second account cn=operator must exist, e.g.

dn: cn=operator,dc=exmaple,dc=org objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: operator userPassword: <HASH of the password> description: secondary management account

Am 02.08.24 um 10:24 schrieb pficheux@integra.fr:

Hello,

Sorry, BDD is the french word for DB.

What I'm trying to test here, is to have users permissions to modify their own password, but also the right to read others entry.

I've tried to put "break" at the end of the first ACL, but it's not working.

dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth break olcAccess: {1}to * by self read

All the info you are asking for can be found at

https://www.openldap.org/doc/admin26/access-control.html

"break" doesn't do any good here because it just stops the evaluation of attrs=userPassword,shadowLastChange BUT these attributes will be part of further evaluation.

E.g. if you have a "global" rule

olcAccess: {0}to * by "cn=operator,dc=example,dc=org" manage

that would give cn=operator (and the root user) all access but after that, the evaluation of "*" will stop.

But with

olcAccess: {0}to * by "cn=operator,dc=example,dc=org" manage break

the evaluation of "*" is done by further, more specific rules that follow.

Given "to have users permissions to modify their own password, but also the right to read others entry" you want:

dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth

olcAccess: {1}to * by users read

which gives the anonymous user the right to authenticate, the authenticated user to modify the password and any other authenticated user the right to read the DIT (but for attrs=userPassword,shadowLastChange).