Hi Clément,
thanks for your help,
On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
The rule {2} catches all requests (to * by *) so rule {3} is never applied.
You can do :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
write by * none
olcAccess: {3}to * by * read
whit these rules, I could't read with anonymous nor authenticated
user from the DB, only the self record.
So, I've modified your idea like this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth
olcAccess: {3}to * by * read
Whith this rules, I can modify the user attributes, except the
userPassword.
But after the modificítion (on master node), de slave can't
replicates the new entries...
Without rule {2}, the slave works as well with repuser dn.
What did I made badly?