Hi,
sorry for the late answer,
On Thu, Oct 12, 2017 at 04:39:45PM +0200, Ervin Hegedüs wrote:
> On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
[...]
> >
> > You can do :
> >
> > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> > anonymous auth by * none
> > olcAccess: {1}to dn.base="" by * read
> > olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
> > write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
> > write by * none
> > olcAccess: {3}to * by * read
>
[...]
> So, I've modified your idea like this:
>
>
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
> write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
> write by self write by anonymous auth
> olcAccess: {3}to * by * read
>
> Whith this rules, I can modify the user attributes, except the
> userPassword.
>
> But after the modificítion (on master node), de slave can't
> replicates the new entries...
here are the loglines:
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: result not in cache
(userPassword)
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access to
"uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu" "userPassword" requested
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [1] attr userPassword
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry
"uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu", attr "userPassword"
requested
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to value by "", (=0)
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] applying auth(=xd)
(stop)
Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] mask: auth(=xd)
Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: auth access
granted by auth(=xd)
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access granted
by auth(=xd)
Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry:
"uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu"
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: search access to
"uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu" "objectClass" requested
Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [2]
Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [3] ou=abc
customer,dc=mycompany,dc=hu
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] matched
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] attr objectClass
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry
"uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu", attr "objectClass"
requested
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to all values by
"uid=repuser,dc=mycompany,dc=hu", (=0)
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_group_pat:
cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu
Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry:
"cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu"
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: no more <who> clauses,
returning =0 (stop)
Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: search access
denied by =0
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: no more rules
where:
* uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu is the admin
user, who wants to execute the request; it's member of
cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu
* uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu is the OU
user, they data could be modified
* uid=repuser,dc=mycompany,dc=hu is the replicator user
Thanks,
a.
