Ok, I thought the rule matched if "by" also matched. Thanks to light it.
I apply the olcAccess you proposed. I still have the problem of deletion of "dc=foo,dc=bar" tree on node2, for example when I add a user on node1. Any idea why ? Thanks, Regards, Vincent Le 13/01/2020 à 17:24, Quanah Gibson-Mount a écrit : > > > --On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot > <[email protected]> wrote: > >> >> Hi, >> >> yes, I understand the processing order. So something like this should >> work, right ? > > No. All access to userPassword is stopped by your very first ACL, no > further ACLs for it will apply, as I already stated. Again, ACL > processing STOPs at the FIRST matching rule. Additionally, a > replication user only needs read access to read data off the master. > It does not need explicit write access to its local db. > > > > >> olcAccess: to attrs=userPassword by anonymous auth >> olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write >> olcAccess: to attrs=userPassword by self write by * none >> olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by >> users read by * none > > So in the above, any and all access to userPassword STOPs at the "by > anonymous auth access". Any other type of request for access to > userPassword will be denied. > > You most likely want something more like: > > olcAccess: to attrs=userPassword by anonymous auth by self write by > dn.exact="uid=rpuser,dc=foo,dc=bar" read > olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by > users read by * none > > This appears to encapsulate the permissions you're trying to set up in > the above. > > Note that a "user" is *any* identity that succesfully authenticated to > the LDAP server, so the "rpuser" is already covered in the "to *" > access line by the rule "by users read". > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>
