Hi Quanah,Thanks for the clarification.I have added as below+++olcAccess: {1}to dn.subtree="dc=ldapprod,dc=com" by dn="cn=a
dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,dc=ldapprod,dc=com" read by dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none+++Now the user replmonitor has admin privilege, where it can list all cn ,. I have tried adding attrs=contextcsn , but no luck. Could you please guide me, how can i restrict this.
RegardsK.KeerthigaOn Fri, 14 Feb 2020 at 09:12, Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Friday, February 14, 2020 8:03 AM +0530 keerthi krishnan
<keerthikrishnan1369@gmail.com> wrote:
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonym
>
> ous auth by dn="cn=admin,dc=ldapprod,dc=com" write by dn="u
>
> id=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,d
>
> c=ldapprod,dc=com" read by * none
>
> olcAccess: {1}to dn.subtree="dc=ldappro,dc=com" by dn="cn=a
>
> dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com"
> write by
>
> dn="uid=repluser,dc=ldapprod,dc=com" read by * none
>
> olcAccess: {2} to dn.subtree="dc=ldapprod,dc=com" attrs=contextCSN by
> dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none
> =======> newly added
Hi,
As documented in the slapd.access(5) man page, ACL processing stops on the
first matching rule. Since rule {1} covers access to all attributes except
userPassword, your query for contextCSN matches rule {1} and rule {2} never
fires.
You probably want to move access rule {2} to be in front of {1}, and add
additional "by" clauses to the rule to allow the admin, authuser, and
repluser access to the attr.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>