--On Sunday, January 16, 2022 7:24 PM +0000 cupc...@domayn.ch wrote:
So I've created pwchange.ldif with the help of this serverfault post
(https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-a
dd-olcaccess-rules-to-openldap):
The post misses important points about how to do ACLs.
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
Rather than a replace op, you can just delete and add ACL {0} directly,
since you're not changing any of the other ACLs.
olcAccess: {0}to attrs=userPassword
by self write
by dn="cn=admin,dc=ldap,dc=example,dc=com" manage
by
dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi
d & user/uid" write by anonymous auth
The above seems very wrong. Is sys_allow_pw_change an actual LDAP group
(groupofNames, groupOfUniqueNames, or groupOfMembers)? If so, just
standard group ACL format should work.
I.e., by dn.group="..." write
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
