[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Syncrepl and mmr



--On Thursday, January 30, 2014 3:28 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu> wrote:

Thanks Quanah...

Now, I'm going to ask this...

My current ACL is:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by * none olcAccess: {1}to * by * read

Supposed this allows the user to modify their userPassword and (in so
doing) modifying the shadowLastChange, allows anonymous to authenticate
against these entries and allows others to read these entries

Am I reading that correctly...or at least close?

To give my syncrepl user (ldapadmin) access, my new ACL would another
olcAccess:

olcAccess:{2}to * by cn=ldapdmin manage

Is that correct?

I would suggest you re-read the documentation on ACLs. As noted in the ACL documentation, ACL processing STOPS on the first matching ACL by default. So NO ACL is evaluated for userPassword and ShadowLastChange if they do not match the self write, anonymous auth bits. What you would want is something like:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by replicauser read by * none
olcAccess: {1}to * by * read

I.e, specifically grant read access to those 2 attrs to whatever the DN is for your replication user.

--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration