[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Replication error
- To: Quanah Gibson-Mount <quanah@symas.com>
- Subject: Re: Replication error
- From: Ervin Hegedüs <airween@gmail.com>
- Date: Thu, 12 Oct 2017 10:25:20 +0200
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=x1Eb+zryM0of4gy/qZDOdMZAeiKV1Wgu+K9nG2cW/28=; b=RwBXAn23yegiyNJajFevTxWarV2YrKTQAJSRO9wtvsR7sAIxslHAtno8Aup5sK9izl +CeiiMT2DPyipI76UU1K794oUrawuY3GAT4RvvkMjMo6xGjQXol5BT/9J8bnZ0eRyUdz 0QkcIRTKkhKM3WSsoYNIOtp67EUPamaknitbpEdFcwkJ8c2C5JXWgBpWA7KIkaFxeBc2 EfXiAcHfMjXG0WW+MuomjlXrrQkIfONF2Sj78kKIE6s2mXOaTYictEAk7nBWU7Fsb4xg SP0EeS7vXhLsS4Q1sP8nxRFbxVB08j1KjMqmiq8UHnQ1vWpcKhWZK3tB4SMqylV4jyLl JoAg==
- In-reply-to: <D623C4BE8861821194C20B82@[192.168.1.30]>
- References: <20171010153948.GA12021@arxnet.hu> <WM!626e4290d90098b207ea0c4ff0ecb33d5e668684377dc5f0acfcbc2d51a74e903bd136ff0c5bf27db885c75ed8858ff6!@mailstronghold-3.zmailcloud.com> <D623C4BE8861821194C20B82@[192.168.1.30]>
- User-agent: Mutt/1.5.24 (2015-08-30)
Hi Quanah,
thanks for your reply,
On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote:
> --On Tuesday, October 10, 2017 6:39 PM +0200 Ervin Hegedüs
> <airween@gmail.com> wrote:
>
> > binddn="uid=repuser,dc=my,dc=domain,dc=hu"
>
> >Anyway - how can I solve this problem?
>
> Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on
> the userPassword attribute.
what would be the expected form of olcAccess structure?
Now I configured these lines:
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my,dc=domain,dc=hu
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="uid=repuser,dc=my,dc=domain,dc=hu" read
by * none
olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
by self write
by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write
by * auth
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by * read
olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
by self write
by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write
by * auth
but it doesn't work - the repuser can't read any part of db, only
the self record. Eg.
ldapsearch -D "uid=repuser,dc=my,dc=domain,dc=hu" -W -b dc=my,dc=domain,dc=hu "(uid=abc_user1)" uid
gives
# search result
search: 2
result: 0 Success
answer.
What did I make as wrong?
Thanks,
a.