Hi, sorry for the late answer,
On Thu, Oct 12, 2017 at 04:39:45PM +0200, Ervin Hegedüs wrote: > On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote: [...] > > > > You can do : > > > > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > > anonymous auth by * none > > olcAccess: {1}to dn.base="" by * read > > olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self > > write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" > > write by * none > > olcAccess: {3}to * by * read > [...] > So, I've modified your idea like this: > > > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none > olcAccess: {1}to dn.base="" by * read > olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self > write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" > write by self write by anonymous auth > olcAccess: {3}to * by * read > > Whith this rules, I can modify the user attributes, except the > userPassword. > > But after the modificítion (on master node), de slave can't > replicates the new entries... here are the loglines: Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword) Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access to "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu" "userPassword" requested Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [1] attr userPassword Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu", attr "userPassword" requested Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to value by "", (=0) Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] applying auth(=xd) (stop) Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] mask: auth(=xd) Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: auth access granted by auth(=xd) Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access granted by auth(=xd) Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry: "uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu" Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: search access to "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu" "objectClass" requested Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [2] Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [3] ou=abc customer,dc=mycompany,dc=hu Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] matched Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] attr objectClass Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu", attr "objectClass" requested Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to all values by "uid=repuser,dc=mycompany,dc=hu", (=0) Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_group_pat: cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry: "cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu" Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: no more <who> clauses, returning =0 (stop) Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: search access denied by =0 Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: no more rules where: * uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu is the admin user, who wants to execute the request; it's member of cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu * uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu is the OU user, they data could be modified * uid=repuser,dc=mycompany,dc=hu is the replicator user Thanks, a.