[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with ACLs

To: openldap-technical@openldap.org
Subject: Problem with ACLs
From: Bill Bradford <mrbill@mrbill.net>
Date: Thu, 30 Aug 2018 14:17:23 -0500
Content-disposition: inline
User-agent: Mutt/1.9.3 (2018-01-21)

Trying to give a single user "read only" access to everything in
the database including userPassword info.

Here's the LDIF file I'm using w/ldapmodify:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
 by dn="cn=Manager,dc=domain,dc=com" write
 by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
 by anonymous auth
 by self write
 by * none
olcAccess: {1}to dn.base=""
 by * read
olcAccess: {2}to *
 by dn="cn=Manager,dc=domain,dc=com" write
 by * read

However, authenticating as uid=romanager,ou=Users,dc=domain,dc=com
lets that user read his own password hash, but nobody else's.  In
other words it's authenticating just like any other user, and it's

as if the

by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read

line is being ignored.  The change is being applied as I've looked
at the database files for the config.  I've tried restarting slapd, etc.

Any suggestions?

@(#) $OpenLDAP: slapd 2.4.44 (Aug  4 2017 14:23:27) $

Bill

--
Bill Bradford
Houston, Texas USA

Follow-Ups:
- RE: Problem with ACLs
  - From: Jason Trupp <jtrupp@symas.com>
- Re: Problem with ACLs
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: empty reqmod attribute
Next by Date: Re: empty reqmod attribute
Index(es):
- Chronological
- Thread