ACL needed write privilege to all subtree of "dc=exadel,dc=com" - openldap-technical

5 May 2016

      Hello guys,
Currently I have ACL in my slapd.conf file:
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by peername.ip=10.206.179.0%255.255.255.0 read
.....
I need write privilege for my group. I made some changes:
access to attrs=userPassword,userPKCS12
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by self write
by * auth
access to attrs=shadowLastChange
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by self write
by * read
access to dn.subtree="dc=exadel,dc=com"
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by peername.ip=206.169.37.147 read
access to *
by peername.ip=10.206.179.0%255.255.255.0 read
After that users from LDAP_admins group can edit all. But our Password 
Change System, where users can change their passwords stopping work 
properly because users can't login.
After I delete
access to dn.subtree="dc=exadel,dc=com"
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by peername.ip=206.169.37.147 read
Password Change System start work well, but user from LDAP_admin group 
lose their write permissions.
After that I tried a big amount of configurations options, but have the 
problem.
Please help!
-- 
With Best Wishes
Andrei Valoshyn
Exadel Inc.
System Administrator
avaloshyn@exadel.com

-- 

CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.