--On Thursday, November 09, 2017 12:39 PM +0100 Dennis Meyer snooops84@gmail.com wrote:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain" write by self write by * read olcAccess: {2}to attrs=shadowLastChange by self write by * read olcAccess: {3}to * by * read olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=localdomain" write by dn="cn=mirrormode,dc=localdomain" read by * none
ACL {4} will never be evaluated, because ACL parsing stops on the first match, which will be ACL {3} (access to everything by anyone read). Even if you fix that problem, ACL {4} would still be unlikely to be evaluated due to ACL {0} as well.
Any Ideas how could solve this?
Fix your ACLs. ;) Something like:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=localdomain" write by dn="cn=mirrormode,dc=localdomain" read olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain" write by self write by * read olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,dc=localdomain" write by * read olcAccess: {3}to * by dn="cn=admin,dc=localdomain" write by * read
Note that "by * none" at the end of an ACL is implicit, so it's not required to list it explicitly.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org