Hi,
yes, I understand the processing order. So something like this
should work, right ?
olcAccess: to attrs=userPassword by anonymous auth
olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
olcAccess: to attrs=userPassword by self write by * none
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write
by users read by * none
Actually, after an object is replicated, rpuser is deleted (and also other objects of the same tree). Any idea why ?
In the log I get :
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete
access to "dc=foo,dc=bar" "children" requested
Jan 13 16:26:33 node5 slapd[9976]: <= root access granted
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete
access granted by manage(=mwrscxd)
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete
access to "uid=rpuser,dc=foo,dc=bar" "entry" requested
Jan 13 16:26:33 node5 slapd[9976]: <= root access granted
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete
access granted by manage(=mwrscxd)
Jan 13 16:26:33 node5 slapd[9976]: => index_entry_del( 7,
"uid=rpuser,dc=foo,dc=bar" )
Jan 13 16:26:33 node5 slapd[9976]: <= index_entry_del( 7,
"uid=rpuser,dc=foo,dc=bar" ) success
Jan 13 16:26:33 node5 slapd[9976]: mdb_delete: deleted id=00000007
dn="uid=rpuser,dc=foo,dc=bar"
Thanks
--On Friday, January 10, 2020 5:48 PM +0100 Vincent Ducot <vincent.ducot@rubycat.eu> wrote:
a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky)
Ah, missed that.
b) I tested several possibilities but I didn't manage to make it work.
Either the problem stayed the same, either the replication didn't work
anymore, either I couldn't access to rpuser.
I understand that :
- rpuser should have read/write access to its password (to
attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write)
- rpuser should have read/write access to all data (to * by
dn="uid=rpuser,dc=foo,dc=bar" write)
Sure, but ACLs stop processing on the first matching rule. Please review the slapd.access(5) man page. Your ACLsforthe rpuser are never evaluated since prior rules prevent them being reached.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>