Re: Replication problem with attributes

[Quanah Gibson-Mount <quanah@symas.com>]

--On Thursday, November 09, 2017 12:39 PM +0100 Dennis Meyer 
<snooops84@gmail.com> wrote:


> olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
> none
> olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain"
> write by self write by * read
> olcAccess: {2}to attrs=shadowLastChange by self write by * read
> olcAccess: {3}to * by * read
> olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="cn=admin,dc=localdomain" write by
> dn="cn=mirrormode,dc=localdomain" read by * none

ACL {4} will never be evaluated, because ACL parsing stops on the first 
match, which will be ACL {3} (access to everything by anyone read).  Even 
if you fix that problem, ACL {4} would still be unlikely to be evaluated 
due to ACL {0} as well.

> Any Ideas how could solve this?

Fix your ACLs. ;)  Something like:

olcAccess: {0}to attrs=userPassword by self write by anonymous auth by 
dn="cn=admin,dc=localdomain" write by dn="cn=mirrormode,dc=localdomain" read
olcAccess: {1}to attrs=loginShell,gecos by dn="cn=admin,dc=localdomain" 
write by self write by * read
olcAccess: {2}to attrs=shadowLastChange by self write by 
dn="cn=admin,dc=localdomain" write by * read
olcAccess: {3}to * by dn="cn=admin,dc=localdomain" write by * read

Note that "by * none" at the end of an ACL is implicit, so it's not 
required to list it explicitly.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>