Hi all,
On Thu, Oct 12, 2017 at 10:25:20AM +0200, Ervin Hegedüs wrote:
> On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote:
> > Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on
> > the userPassword attribute.
>
> what would be the expected form of olcAccess structure?
>
> Now I configured these lines:
>
[...]
> olcAccess: {0}to attrs=userPassword,shadowLastChange
> by self write
> by anonymous auth
> by dn="uid=repuser,dc=my,dc=domain,dc=hu" read
> by * none
> olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
> by self write
> by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu"
> write
> by * auth
> olcAccess: {2}to dn.base="" by * read
> olcAccess: {3}to * by * read
> olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu"
> by self write
> by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu"
> write
> by * auth
sorry, looks like these are wrong, I've configured this state:
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=core,dc=hdt,dc=hu
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
and it works as well.
Now I have to set up the admin rights to users who member of
special group (eg, groupabcadmins).
a.
