--On Monday, January 17, 2022 5:52 PM +0100 cupc...@domayn.ch wrote:
Thanks for your answer,
Rather than a replace op, you can just delete and add ACL {0} directly,
since you're not changing any of the other ACLs.
So this means I can omit the entries for olcAccess: {1} and olcAccess:
{2}?
And for olcAccess: {0} I would first create a delete operation and after
that readd it again? Why is that better than I replace if I may ask?
Yes, you can use the weight in a delete op, like
ldapmodify ...
dn: ...
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}access to ...
I would say it's better than replace for a few reasons. The largest being
less likely of end user error (typos, etc).
You can also do the same sort of thing to insert ACLs, like
ldapmodify ...
dn: ....
add: olcAccess
olcAccess: {1}access to ...
Would put a new ACL at {1} and increment all subsequent ACLs to preserve
order.
Is sys_allow_pw_change an actual LDAP group
(groupofNames, groupOfUniqueNames, or groupOfMembers)
ObjectClass is posixGroup and members are saved in a memberUID field:
Generally I'd advise using LDAP groups not *nix posixgroups for managing
LDAP access.
I would also note that "memberUID" can be problematic if you end up with
multiple entries with the same UID, an issue that DN based LDAP groups
cannot encounter.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>