Hi,

For those, for mind find this thread through google and like me overwhelmed with information won't understand the documentation. The RootDN cannot be restricted from having privileges under OpenLDAP 2.4. Hence, ACLs won't do anything for RootDN. This is documented.

Someone, elsewhere pointed this out for me.

Sincerely,

Igor Shmukler

On Wed, Apr 15, 2015 at 5:41 PM, Igor Shmukler igor.shmukler@gmail.com wrote:

Hello,

I tried to filter out everyone except cn=config when my ACL filter rule is true (a NAME type attribute matches a value), so that password authentication for filtered-out users would fail. It works for regular users, and does not for admins. Is this because my ACL rules are wrong, or is this a feature of OpenLDAP? Why no matter what I do

My LDIF is below:

dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(!(serviceLevel=suspended)) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {4}to * filter=(!(serviceLevel=suspended)) by self write by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * read

Is there something special about LDAP administrator, by design?

Thank you,

Igor Shmukler