[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Admin roles by group membership per OU
Hi Clément,
thanks for your help,
On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
>
>
> Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :
> >olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
> >olcAccess: {1}to dn.base="" by * read
> >olcAccess: {2}to * by * read
> >olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
>
> The rule {2} catches all requests (to * by *) so rule {3} is never applied.
>
> You can do :
>
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
> write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
> write by * none
> olcAccess: {3}to * by * read
whit these rules, I could't read with anonymous nor authenticated
user from the DB, only the self record.
So, I've modified your idea like this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth
olcAccess: {3}to * by * read
Whith this rules, I can modify the user attributes, except the
userPassword.
But after the modificítion (on master node), de slave can't
replicates the new entries...
Without rule {2}, the slave works as well with repuser dn.
What did I made badly?
Thanks,
a.