--On Monday, November 11, 2019 11:35 PM +0100 Marc Roos M.Roos@f1-outsourcing.eu wrote:

I have problems authenticating against this acl[0] with nslcd, if I use[1] authentication is fine. I have the impression the dn.exact is not able to access the password attribute, because getent shows the other attributes. How should I rewrite this so the dn.exact is able to read the password attributes from dn.subtree?

olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none continue

The main issue I see is that "continue" doesn't work the way you seem to think it does. "continue", as noted in the man page:

"the continue form allows for other <who> clauses in the same <access> clause to be considered"

You have no additional clauses after the continue in *that* access clause, so it has no effect.

I.e., for continue to work it would be something like:

access to whatever by something +r continue by something .....

Then the second "by something" would be processed.

To consider *multiple* access lines, you need to use the "break" keyword.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com