Hi folks, many-many thanks for your helps,
On Thu, Oct 12, 2017 at 11:06:00AM -0700, Quanah Gibson-Mount wrote: > --On Thursday, October 12, 2017 6:32 PM +0200 Ervin Hegedüs > <[email protected]> wrote: > > >rules: > > > >olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > >anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none > >olcAccess: {1}to dn.base="" by * read > >olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by > >self write by group.exact="cn=groupabcadmin,ou=ABC > >Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by > >dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read > > > Your olcAccess: {1} value does not belong in your back-MDB database. That > rule goes in the {-1}frontend,cn=config portion of the database as a global > access rule. what does it reveal? This rule comes with the default installation... > You probably also want a rule that reads: > > to dn.base="cn=subschema" by * read the frontend config is this: dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read > in the {-1}frontend,cn=config database as well. > > So for your back-mdb database, what one would expect is more something like: > > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read > olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self > write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" > write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read > olcAccess: {2}to * by * read well, at first look it works - many thanks again. I'll check it all config tomorrow. Regards, a.
