Am Thu, 18 Oct 2018 09:48:22 +0200 schrieb Lirien Maxime <maxime.lir...@gmail.com>:
> Damn ! my ACL don't work despites your help :-/ Run slapd in debugging mode 'acl' or test with slapacl(8) note that contextCSN is stored in root entry. -Dieter > > In the log it seems that "supervision" can't access dc=fr, it starts > from dc=gouv,dc=fr. > Without rule#3, it's ok because of rule #5. > But with rule#3 it's supposed to match contextCSN > > Thanks guys. > > Here are my ACL : > > # 1) Admin's branch > access to dn.subtree="ou=Comptes Admin,dc=fr" > by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read > by self auth > by users auth > by anonymous auth > > # 2) userPassword accessible by all > access to * attrs=userPassword > by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read > by users auth > by anonymous auth > by * none > > > *# 3) ********* CONTEXTCSN ********** > > *access to dn.base="dc=fr" attrs=entry,children,contextcsn* > > > * by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by > dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none* > > # 4) Certificate > access to * > attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning > by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read > by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read > by * none > > > # 5) Branch dc=gouv,dc=fr > access to dn.subtree="dc=gouv,dc=fr" > by dn.subtree="ou=Comptes Clients,dc=fr" read > by dn.subtree="ou=Comptes Admin,dc=fr" write > by * none > > > # 6) All the tree > access to * > by dn.exact="cn=root,dc=fr" write > by dn.subtree="ou=Comptes Admin,dc=fr" read > by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read > by self none > by users none > by anonymous none > by * none > > > On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount <qua...@symas.com> > wrote: > > > --On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter > > <die...@dkluenter.de> wrote: > > > > > Am Tue, 16 Oct 2018 15:51:50 +0200 > > > schrieb Lirien Maxime <maxime.lir...@gmail.com>: > > > > > >> Hi all, > > >> thanks for reading. > > >> I have a "supervision" account on all my ldap servers. With the > > >> plugin nagios , it check the synchro. I would like this account > > >> read only contextcsn to check synchro. And only contextcsn not > > >> the other entries. (plugin check nagios). > > >> Can someone help me to write the right ACL ? > > >> > > >> Here what I tried but not really right :-/ > > >> # ContextCSN > > >> access to dn.subtree="dc=fr" attrs=contextCSN > > >> by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read > > >> by * none > > > > > > access to dn.base=dc=fr > > > attrs=entry,children,contextCSN read > > > > I'd also be careful of doing "by * none" to the contextCSN, etc, as > > that can break replication depending on the DN that binds to the > > master(s), since the replication DN must be able to read the > > contextCSN. > > > > --Quanah > > > > > > > > -- > > > > Quanah Gibson-Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by > > OpenLDAP: <http://www.symas.com> > > > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E