Hi all, On Thu, Oct 12, 2017 at 10:25:20AM +0200, Ervin Hegedüs wrote: > On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote: > > Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on > > the userPassword attribute. > > what would be the expected form of olcAccess structure? > > Now I configured these lines: > [...]
> olcAccess: {0}to attrs=userPassword,shadowLastChange > by self write > by anonymous auth > by dn="uid=repuser,dc=my,dc=domain,dc=hu" read > by * none > olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu" > by self write > by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" > write > by * auth > olcAccess: {2}to dn.base="" by * read > olcAccess: {3}to * by * read > olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu" > by self write > by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" > write > by * auth sorry, looks like these are wrong, I've configured this state: dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=core,dc=hdt,dc=hu olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE and it works as well. Now I have to set up the admin rights to users who member of special group (eg, groupabcadmins). a.