Dear colleagues,
There's a question I posted on ServerFault
(
https://serverfault.com/questions/1088252/a-very-simple-olcaccess-rule-do...),
but it seems that asking my question in this mailing list would be a
better idea/
So, long story short, I have a domain (let's call it
`dc=example,dc=org`) .
The domain has a branch
(`ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
There's a simpleSecurityObject in this domain
(`uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
I need the uid=admin,*** user to have full (manage) access to the
ou=users,*** branch, so I added the following olcAccess record: `to
dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"
by
dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"`.
It has added to the default set of rules:
```
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by
dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write
by * none
olcAccess: {3}to
dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=
infra,dc=example,dc=org" by
dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"
manage
```
But something seems to be wrong. When I run `ldapsearch -D
uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org
-W -b
ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`,
I get the following result:
```
# extended LDIF
#
# LDAPv3
# base
<ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
command terminated with exit code 32
```
The object is actually available and `cn=admin,dc=example,dc=org` can
see it without any difficulties, so it seems that my access rule is
wrong. But what exactly it is?
It seems that the default rule #2 (`{2} to * by self read by
dn="cn=admin,dc=example,dc=org" write by * none`) fires up earlier than
the rule I added. Does that mean that I should always add my custom
rules before it?
And why does this rule has `by * none`? Doesn't it contradict the
OpenLDAP documentation? "The default access control policy is allow read
by all clients"
(
https://www.openldap.org/doc/admin24/access-control.html).
Thank you in advance.
With best regards,
V.Melnyk