I would like to allow users to ldapmodify a few of their attibutes ...
sshPublicKey,gecos ..
This does not appear to do the trick:
0-14:08 djh@ldap0 ~$
*sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \> cn=config
'(olcDatabase={1}hdb)' olcAccess*
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {3}to attrs=sshPublicKey,gecos by self write
Why? I would guess the {2} rule "to * by * read" has precedence.
As I understand it, if I wanted to re-order those rules, I would delete and
rewrite the rules. This would require me to delete the rule that gives
admin the access to write the rules in the first place ... sounds like a
way to lock myself out of my LDAP database?
So, my guess is that I want and LDIF like so:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
remove: olcAccess
olcAccess: {3}to attrs=sshPublicKey,gecos by self write
-
add: olcAccess
olcAccess: {2}to attrs=sshPublicKey,gecos by self write
-
add: olcAccess
olcAccess: {3}to * by dn="cn=admin,dc=example,dc=com" write by * read
-
remove: olcAccess
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
If I run this as cn=admin then it should:
1) Remove ineffective {3}
2) Add an effective {2} (now there are two {2}s..)
3) Add a new {3} to match incumbent {2}
4) Remove incumbent {2}
I shouldn't lock myself out because I add a new rule for admin access
before deleting the old rule, and as far as LDAP is superficially
concerned, all these olcAccess attributes are just unique records, so the
conflicting number rules aren't going to be a problem .. ?
Am I on the right track?
Thanks,
-danny
--
http://dannyman.toldme.com
