1
dn: olcDatabase={1}hdb,cn=config
objectclass: olcDatabaseConfig
objectclass: olcHdbConfig
olcaccess: {0}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none
olcaccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write by * none
olcaccess: {2}to dn.base="" by * read
olcaccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read

I got stuck in understanding ACL-Order. Users of subtree and dn: cn=subadmin,dc=domain,dc=tld should be able to modify their own passwords, but they aren't with this ruleset, as subtree-admin isn't, but subtree admin can write new dn's. If I remove ACL {0} users can modify again, but I need a subtree-admin with write access for each subtree.

regards,

Maik

Maik Riecken
  • 11
  • 1

1 Answers1

0

The ordering of the ACL lines matters.

olcaccess: {0}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write by * none olcaccess: {2}to dn.base="" by * read olcaccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read

You can get rid of {2} because it's covered in {3} and you should switch {1} and {0}. This is because the attributes are part of the subtree and you have told LDAP that the subtree is only readable by users. Try:

olcaccess: {0}to attrs=userPassword,shadowLastChange by self write by users write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write olcaccess: {1}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {2}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read

You don't need the by * none either, it's implicit.

Of course, I have not tried this as I am having trouble editing my config at all at the moment... could you have a look at:

LDAP build script failing on openLDAP-2.4.31 ( ldapmodify -Y EXTERNAL -H ldapi:/// )

for me?

Community
  • 1
MarkJL
  • 131
  • 8