Hi Quanah,

Thanks for the clarification.

I have added as below

+++ olcAccess: {1}to dn.subtree="dc=ldapprod,dc=com" by dn="cn=a dmin,dc=ldapprod,dc=com" write by dn="uid=authuser, dc=ldapprod,dc=com" write by dn="uid=repluser, dc=ldapprod,dc=com" read by dn="uid=replmonitor, dc=ldapprod,dc=com" read by * none +++

Now the user replmonitor has admin privilege, where it can list all cn ,. I have tried adding attrs=contextcsn , but no luck. Could you please guide me, how can i restrict this.

Regards K.Keerthiga

On Fri, 14 Feb 2020 at 09:12, Quanah Gibson-Mount quanah@symas.com wrote:

...

--On Friday, February 14, 2020 8:03 AM +0530 keerthi krishnan keerthikrishnan1369@gmail.com wrote:

...

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym

ous auth by dn="cn=admin,dc=ldapprod,dc=com" write by dn="u

id=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,d

c=ldapprod,dc=com" read by * none

olcAccess: {1}to dn.subtree="dc=ldappro,dc=com" by dn="cn=a

dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com" write by

dn="uid=repluser,dc=ldapprod,dc=com" read by * none

olcAccess: {2} to dn.subtree="dc=ldapprod,dc=com" attrs=contextCSN by dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none =======> newly added

Hi,

As documented in the slapd.access(5) man page, ACL processing stops on the first matching rule. Since rule {1} covers access to all attributes except userPassword, your query for contextCSN matches rule {1} and rule {2} never fires.

You probably want to move access rule {2} to be in front of {1}, and add additional "by" clauses to the rule to allow the admin, authuser, and repluser access to the attr.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com