[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication error

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: Replication error
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 12 Oct 2017 11:05:46 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=ryo+a+Z6CR3TL4KMNESaZS9wYJ4+wCrvX3vPZnejWXk=; b=ILcCYwIG1FrX7/PBUBgdjvwWoG20EUqF4A5iy4fDFxGhkkCYp/T2Thp7bAeKkqKZmI tT57g5XjOrHk3Wn8LWeo6xZDzCFZ0d/4r4IuVVsYzKK29u0iobGhyrqGeem8pWnZtgOL dCvrcdvtRJbxGYBDZTACLoQnaR+9O05qybL8tpoixpg2nHzAOHvyKaO4Px92ol2tIBWd PVVtp7aNBLptkEgdt41AZGfZEYBMfesbdSmwz9Z26nCvXqHxd2ecyMQ+Nti3V5i7ofun KO1wJDr8wuDMJ4zflJKjp9N07B/bki2YsBRQBns129FpQaPSiwhsiogyzn6823VIpIhL NCgw==
In-reply-to: <20171012082520.GA11949@arxnet.hu>
References: <20171010153948.GA12021@arxnet.hu> <WM!626e4290d90098b207ea0c4ff0ecb33d5e668684377dc5f0acfcbc2d51a74e903bd136ff0c5bf27db885c75ed8858ff6!@mailstronghold-3.zmailcloud.com> <D623C4BE8861821194C20B82@[192.168.1.30]> <20171012082520.GA11949@arxnet.hu>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi all,

On Thu, Oct 12, 2017 at 10:25:20AM +0200, Ervin Hegedüs wrote:
> On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote:
> > Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on
> > the userPassword attribute.
> 
> what would be the expected form of olcAccess structure?
> 
> Now I configured these lines:
> 
[...]

> olcAccess: {0}to attrs=userPassword,shadowLastChange
>   by self write
>   by anonymous auth
>   by dn="uid=repuser,dc=my,dc=domain,dc=hu" read
>   by * none
> olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
>   by self write
>   by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write
>   by * auth
> olcAccess: {2}to dn.base="" by * read
> olcAccess: {3}to * by * read
> olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
>   by self write
>   by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write
>   by * auth

sorry, looks like these are wrong, I've configured this state:

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=core,dc=hdt,dc=hu
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
  by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE


and it works as well.

Now I have to set up the admin rights to users who member of
special group (eg, groupabcadmins).


a.

References:
- Replication error
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Replication error
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Replication error
  - From: Ervin Hegedüs <airween@gmail.com>

Prev by Date: Re: Replication error
Next by Date: Re: Question about automounting nfs directories within ldap
Index(es):
- Chronological
- Thread