dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by
self write by group.exact="cn=groupabcadmin,ou=ABC
Customer,dc=core,dc=hdt,dc=hu" write by
dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {2}to * by * read
and a member of cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu
can modify any attributes at any users under the ou=ABC Customer,
EXCEPT the userPassword - when I want to modify that, I get
permission error:
That would be expected, given your ACLs.
How can I combine the attrs and group permissions? Should I list all attributes in rule?
You need to add a rule in the userPassword ACL to allow the group to write to the attribute. ACLs are processed in the order they are listed, and STOP at the first match. This is clearly documented in the slapd.access(5) man page.
I.e., you would need:
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by
group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC
Customer,dc=core,dc=hdt,dc=hu" write by
dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {2}to * by * read
I would note again that "by * none" is implicit on any ACL, there's no need
to specifically list it.
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>