Re: userPassword is not replicated

Tue, 02 Jun 2020 10:04:06 -0700 


>From: "Quanah Gibson-Mount" <[email protected]>
>olcAccess: {1}to dn.base="" by * read
>This is an ACL that is meant to go into the frontend DB, not the primary DB.

I remembered set that one so that ApacheDirectoryStudio (or other GUI) could 
read the RootDSE, but now you make me wonder ...? 

>olcAccess: {3}to dn.subtree="dc=mydomain,dc=fr" by 
> dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * break
> This ACL will never be used, since ACL{2} already covers your entire tree.

ACL{2} is dn.base not subtree : 
olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read

for me it not a subtree acces, but just a "one level" => dn.base , the object  
dc=mydomain,dc=fr itself (again for GUIs) 
but If I am wrong on that interpretation, you are right, then it allow access 
to everything to everyone  :-( ! .
please confirm

>olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by 
>anonymous auth by dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * 
>none

you are right I should move UP {4} above  {3} , but {3} is just a line for 
dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read , then by * there is a 
break ! 

> Same as #3.
> olcAccess: {5}to * by self read by * none
> Same as #3.
> In practice, you only have two functioning ACLs with what you provided:

>olcAccess: {0}to * by 
>dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by 
>* break
>olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read
>Probably most critical, you've given everyone, including anonymous, read 
>access to the userPassword attribute of every account in your tree.

If you confirm how wrong is {2} , I must change it , indeed .

Thanks . 

PS: to clarify the discussion , here's my initial post 
# cat olcRepConfigAccess.ldif
dn: olcDatabase={3}mdb,cn=config  #Database number (3) and type (mdb) might be 
different on your instance .
changetype: modify
replace: olcAccess
olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * 
break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read
olcAccess: {3}to dn.subtree="dc=mydomain,dc=fr" by 
dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * break
olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by anonymous 
auth by dn.exact="cn=repuser,ou=dsa,dc=mydomain,dc=fr" read by * none
olcAccess: {5}to * by self read by * none



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Reply via email to