On Mon, Sep 11, 2017 at 04:18:20PM -0500, Nick Gray wrote:With this config,.shouldn't this work as well ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config olcDatabase=\*The rules on your config database are: olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage The first matches everything (*), so the second is never consulted.
Which is specifically noted in the slapd.access(5) man page: The optional field <control> controls the flow of access rule application. It can have the forms stop continue breakwhere stop, the default, means access checking stops in case of match.
So as noted in the man page, ACL processing stops at the first matching access rule.
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>