Hello all, We are currently migrating from a master-slave, to a multi-master setup. All went well except for the fact that the access on the old master node was more liberal then the access on the slave node. As a result some applications were able to use this to their advantage and now are not working quite correctly when each node is a read write master.
here is my configuration: #access to dn.regex="mail=.*[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" # attrs=userPassword,accountstatus # by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break # by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break access to attr=userPassword by self write by anonymous auth by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by self write by * none access to * by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write by dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" write by dnattr=manager write by self write by users read by * none My problem is the top commented lines, these rules are to allow sara and john to administer all "mail=.*.managed" users. This worked fine in the past because no read queries hit the master, but now with multi-master "mail=.*.managed" users have no access to the directory. The old rule was # by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US" write stop I also tried # by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break Which I was under the impression that "write break" would continue evaluation, but I do not understand how this is working. Can anyone help me with a suggestion for fixing this? Thank you!
