Damn ! my ACL don't work despites your help :-/
In the log it seems that "supervision" can't access dc=fr, it starts from dc=gouv,dc=fr. Without rule#3, it's ok because of rule #5. But with rule#3 it's supposed to match contextCSN
Thanks guys.
Here are my ACL :
# 1) Admin's branch access to dn.subtree="ou=Comptes Admin,dc=fr" by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by self auth by users auth by anonymous auth
# 2) userPassword accessible by all access to * attrs=userPassword by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by users auth by anonymous auth by * none
*# 3) ********* CONTEXTCSN **********
*access to dn.base="dc=fr" attrs=entry,children,contextcsn*
* by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none*
# 4) Certificate access to * attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by * none
# 5) Branch dc=gouv,dc=fr access to dn.subtree="dc=gouv,dc=fr" by dn.subtree="ou=Comptes Clients,dc=fr" read by dn.subtree="ou=Comptes Admin,dc=fr" write by * none
# 6) All the tree access to * by dn.exact="cn=root,dc=fr" write by dn.subtree="ou=Comptes Admin,dc=fr" read by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by self none by users none by anonymous none by * none
On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 16 Oct 2018 15:51:50 +0200 schrieb Lirien Maxime maxime.lirien@gmail.com:
Hi all, thanks for reading. I have a "supervision" account on all my ldap servers. With the plugin nagios , it check the synchro. I would like this account read only contextcsn to check synchro. And only contextcsn not the other entries. (plugin check nagios). Can someone help me to write the right ACL ?
Here what I tried but not really right :-/ # ContextCSN access to dn.subtree="dc=fr" attrs=contextCSN by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read by * none
access to dn.base=dc=fr attrs=entry,children,contextCSN read
I'd also be careful of doing "by * none" to the contextCSN, etc, as that can break replication depending on the DN that binds to the master(s), since the replication DN must be able to read the contextCSN.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am Thu, 18 Oct 2018 09:48:22 +0200 schrieb Lirien Maxime maxime.lirien@gmail.com:
Damn ! my ACL don't work despites your help :-/
Run slapd in debugging mode 'acl' or test with slapacl(8) note that contextCSN is stored in root entry.
-Dieter
In the log it seems that "supervision" can't access dc=fr, it starts from dc=gouv,dc=fr. Without rule#3, it's ok because of rule #5. But with rule#3 it's supposed to match contextCSN
Thanks guys.
Here are my ACL :
# 1) Admin's branch access to dn.subtree="ou=Comptes Admin,dc=fr" by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by self auth by users auth by anonymous auth
# 2) userPassword accessible by all access to * attrs=userPassword by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by users auth by anonymous auth by * none
*# 3) ********* CONTEXTCSN **********
*access to dn.base="dc=fr" attrs=entry,children,contextcsn*
- by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by
dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none*
# 4) Certificate access to * attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by * none
# 5) Branch dc=gouv,dc=fr access to dn.subtree="dc=gouv,dc=fr" by dn.subtree="ou=Comptes Clients,dc=fr" read by dn.subtree="ou=Comptes Admin,dc=fr" write by * none
# 6) All the tree access to * by dn.exact="cn=root,dc=fr" write by dn.subtree="ou=Comptes Admin,dc=fr" read by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by self none by users none by anonymous none by * none
On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 16 Oct 2018 15:51:50 +0200 schrieb Lirien Maxime maxime.lirien@gmail.com:
Hi all, thanks for reading. I have a "supervision" account on all my ldap servers. With the plugin nagios , it check the synchro. I would like this account read only contextcsn to check synchro. And only contextcsn not the other entries. (plugin check nagios). Can someone help me to write the right ACL ?
Here what I tried but not really right :-/ # ContextCSN access to dn.subtree="dc=fr" attrs=contextCSN by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read by * none
access to dn.base=dc=fr attrs=entry,children,contextCSN read
I'd also be careful of doing "by * none" to the contextCSN, etc, as that can break replication depending on the DN that binds to the master(s), since the replication DN must be able to read the contextCSN.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Dieter Klünter -
Lirien Maxime