--On Sunday, August 27, 2023 9:20 PM +0000 Marc <m...@f1-outsourcing.eu>
wrote:
On 8/27/23 19:01, Marc wrote:
>>> olcAccess: {2} to attrs=userPassword,shadowLastChange
>>> by ssf=256 self read
>>> by ssf=256 anonymous auth
>>> by * none break
I think the problem is this rule. You specify 'by * none break', which
means that evaluation is not stopped if this rule does not match.
Because of that, the later rules for user 'yyyy' do match and 'yyyy' can
read the 'userPassword' attribute.
You would have to specify a separate rule for 'userPassword' without
'break', something like this:
olcAccess: {1} to attrs=userPassword
by self read
by anonymous auth
Well done Souji! Thanks that seems to be working better, and I can remove
these redundant read - search combinations!
Yes, two things to keep in mind:
a) "by * none" is implicit in every ACL statement
b) Adding "break" to it means that the rest of the ACLs continue processing.
As for the frontend ACL bit, I strongly advise only having those first 2
ACLs present there, otherwise they apply to every database on the server.
It's better to locate ACLs in the databases they are meant for.
Examples:
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1} to dn.exact="cn=Subschema" by * read
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth
olcAccess: {1}to * by self write by sockurl.exact="^ldapi:///$" write by
users read
dn: olcDatabase={2}monitor,cn=config
olcAccess: {0}to * by * read
etc.
--Quanah
