Hello,
I tried to filter out everyone except cn=config when my ACL filter
rule is true (a NAME type attribute matches a value), so that password
authentication for filtered-out users would fail.
It works for regular users, and does not for admins. Is this because
my ACL rules are wrong, or is this a feature of OpenLDAP? Why no
matter what I do
My LDIF is below:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
filter=(serviceLevel=suspended)
by dn="cn=config" write
by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
filter=(!(serviceLevel=suspended))
by self write
by anonymous auth
by dn="cn=admin,dc=directory,dc=com" write
by dn="cn=config" write
by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
filter=(serviceLevel=suspended)
by dn="cn=config" write
by * none
olcAccess: {4}to *
filter=(!(serviceLevel=suspended))
by self write
by dn="cn=admin,dc=directory,dc=com" write
by dn="cn=config" write
by * read
Is there something special about LDAP administrator, by design?
Thank you,
Igor Shmukler
