[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication error

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: Replication error
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 12 Oct 2017 10:25:20 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=x1Eb+zryM0of4gy/qZDOdMZAeiKV1Wgu+K9nG2cW/28=; b=RwBXAn23yegiyNJajFevTxWarV2YrKTQAJSRO9wtvsR7sAIxslHAtno8Aup5sK9izl +CeiiMT2DPyipI76UU1K794oUrawuY3GAT4RvvkMjMo6xGjQXol5BT/9J8bnZ0eRyUdz 0QkcIRTKkhKM3WSsoYNIOtp67EUPamaknitbpEdFcwkJ8c2C5JXWgBpWA7KIkaFxeBc2 EfXiAcHfMjXG0WW+MuomjlXrrQkIfONF2Sj78kKIE6s2mXOaTYictEAk7nBWU7Fsb4xg SP0EeS7vXhLsS4Q1sP8nxRFbxVB08j1KjMqmiq8UHnQ1vWpcKhWZK3tB4SMqylV4jyLl JoAg==
In-reply-to: <D623C4BE8861821194C20B82@[192.168.1.30]>
References: <20171010153948.GA12021@arxnet.hu> <WM!626e4290d90098b207ea0c4ff0ecb33d5e668684377dc5f0acfcbc2d51a74e903bd136ff0c5bf27db885c75ed8858ff6!@mailstronghold-3.zmailcloud.com> <D623C4BE8861821194C20B82@[192.168.1.30]>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi Quanah,

thanks for your reply,

On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote:
> --On Tuesday, October 10, 2017 6:39 PM +0200 Ervin Hegedüs
> <airween@gmail.com> wrote:
> 
> >  binddn="uid=repuser,dc=my,dc=domain,dc=hu"
> 
> >Anyway - how can I solve this problem?
> 
> Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on
> the userPassword attribute.

what would be the expected form of olcAccess structure?

Now I configured these lines:

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my,dc=domain,dc=hu
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="uid=repuser,dc=my,dc=domain,dc=hu" read
  by * none
olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
  by self write
  by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write
  by * auth
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by * read
olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
  by self write
  by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write
  by * auth

but it doesn't work - the repuser can't read any part of db, only
the self record. Eg.

ldapsearch -D "uid=repuser,dc=my,dc=domain,dc=hu" -W -b dc=my,dc=domain,dc=hu "(uid=abc_user1)" uid


gives

# search result
search: 2
result: 0 Success


answer.

What did I make as wrong?


Thanks,

a.

Follow-Ups:
- Re: Replication error
  - From: Ervin Hegedüs <airween@gmail.com>

References:
- Replication error
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Replication error
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: Re: Replication error
Index(es):
- Chronological
- Thread