[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Replication problem with attributes
- To: Dennis Meyer <snooops84@gmail.com>, openldap-technical@openldap.org
- Subject: Re: Replication problem with attributes
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Thu, 09 Nov 2017 07:03:35 -0800
- Content-disposition: inline
- In-reply-to: <WM!b9986636207d0e06b642440b92b8712c2827713de0bbcacfae2bbfb86815c51890cc316a97c852df66f0ae430762af21!@mailstronghold-1.zmailcloud.com>
- References: <CAN8=haWetDVOfJTBeA0b42hHasjvFOCAj-PSKjdo3Ldpt0+DBQ@mail.gmail.com> <WM!b9986636207d0e06b642440b92b8712c2827713de0bbcacfae2bbfb86815c51890cc316a 97c852df66f0ae430762af21!@mailstronghold-1.zmailcloud.com>
--On Thursday, November 09, 2017 12:39 PM +0100 Dennis Meyer
<snooops84@gmail.com> wrote:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain"
write by self write by * read
olcAccess: {2}to attrs=shadowLastChange by self write by * read
olcAccess: {3}to * by * read
olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="cn=admin,dc=localdomain" write by
dn="cn=mirrormode,dc=localdomain" read by * none
ACL {4} will never be evaluated, because ACL parsing stops on the first
match, which will be ACL {3} (access to everything by anyone read). Even
if you fix that problem, ACL {4} would still be unlikely to be evaluated
due to ACL {0} as well.
Any Ideas how could solve this?
Fix your ACLs. ;) Something like:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn="cn=admin,dc=localdomain" write by dn="cn=mirrormode,dc=localdomain" read
olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain"
write by self write by * read
olcAccess: {2}to attrs=shadowLastChange by self write by
dn="cn=admin,dc=localdomain" write by * read
olcAccess: {3}to * by dn="cn=admin,dc=localdomain" write by * read
Note that "by * none" at the end of an ACL is implicit, so it's not
required to list it explicitly.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>