[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Admin roles by group membership per OU
Hi Clément,
On Thu, Oct 12, 2017 at 05:01:54PM +0200, Clément OUDOT wrote:
> >
> >So, I've modified your idea like this:
> >
> >
> >olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none
> >olcAccess: {1}to dn.base="" by * read
> >olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth
> >olcAccess: {3}to * by * read
> >
> >Whith this rules, I can modify the user attributes, except the
> >userPassword.
> >
> >But after the modificítion (on master node), de slave can't
> >replicates the new entries...
> >
> >Without rule {2}, the slave works as well with repuser dn.
> >
> >What did I made badly?
>
> Just add by dn="uid=repuser,dc=mycompany,dc=hu" read in rule {2}
no luck - the replication doesn't work:
Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword)
Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: auth access to "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu" "userPassword" requested
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_get: [1] attr userPassword
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu", attr "userPassword" requested
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: to value by "", (=0)
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 12 17:29:51 open-ldap slapd[31421]: <= acl_mask: [2] applying auth(=xd) (stop)
Oct 12 17:29:51 open-ldap slapd[31421]: <= acl_mask: [2] mask: auth(=xd)
Oct 12 17:29:51 open-ldap slapd[31421]: => slap_access_allowed: auth access granted by auth(=xd)
Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: auth access granted by auth(=xd)
Oct 12 17:29:51 open-ldap slapd[31421]: => mdb_entry_get: found entry: "uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu"
Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: search access to "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu" "objectClass" requested
Oct 12 17:29:51 open-ldap slapd[31421]: => dn: [2]
Oct 12 17:29:51 open-ldap slapd[31421]: => dn: [3] ou=abc customer,dc=mycompany,dc=hu
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_get: [3] matched
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_get: [3] attr objectClass
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu", attr "objectClass" requested
Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: to all values by "uid=repuser,dc=mycompany,dc=hu", (=0)
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_group_pat: cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu
Oct 12 17:29:51 open-ldap slapd[31421]: => mdb_entry_get: found entry: "cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu"
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: uid=repuser,dc=mycompany,dc=hu
Oct 12 17:29:51 open-ldap slapd[31421]: <= acl_mask: no more <who> clauses, returning =0 (stop)
Oct 12 17:29:51 open-ldap slapd[31421]: => slap_access_allowed: search access denied by =0
Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: no more rules
rules:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read
olcAccess: {3}to * by * read
Thanks,
a.