Bonjour Florent,

(sorry I answer just this in Freanch : easier to me 🙂 Les ACL s'arrêtent au premier match. Il faut donc mettre les droits des user sconcernés pour chaque ACL). Here a franch link : https://www.vincentliefooghe.net/content/les-acl-dans-openldap

Here an example :

access to attrs=userPassword by dn.exact="cn=admin,dc=example,dc=fr" write by users auth by anonymous auth by * none

access to dn.subtree="the_place_you_want" by dn="ou=system-write,dc=example,dc=fr" write by dn="ou=system-read,dc=example,dc=fr" read by users read

access to dn.subtree="ou=ent,dc=example,dc=fr" by self write by dn="ou=system-read,dc=example,dc=fr" read by dn="ou=system-write,dc=example,dc=fr" write by * none

Another way very interesting is to use "break" and "continue" keyword.

________________________________ De : openldap-technical openldap-technical-bounces@openldap.org de la part de Florent Vallée florent.vallee@insa-cvl.fr Envoyé : lundi 20 mai 2019 11:05 À : openldap-technical Objet : OPEN LDAP ACL

Hello,

I manage all my users with LDAP.

I would like to build the following reading rules:

1. only admin can change passwords, authenticated users read and anonymous do nothing

2. Authenticated users access the database but can only read their account but not the rest

3. the group ou = system-read can read the whole database

4. the group ou = system-write can write in ou = ent

5. Anonymous access is forbidden

My LDIF file :

dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,dc=example,dc=fr" write by * auth olcAccess: {1}to dn.base="" by self write by dn="ou=system-read,dc=example,dc=fr" read by * auth olcAccess: {2}to dn.subtree="ou=ent,dc=example,dc=fr" by self write by dn="ou=system-write,dc=example,dc=fr" write by * none olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=fr" write by * none

I have a lot of trouble with ACLs, I can not do what I want with. Thank you for your help.

Florent