Hi, yes, I understand the processing order. So something like this should work, right ?
olcAccess: to attrs=userPassword by anonymous auth olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write olcAccess: to attrs=userPassword by self write by * none olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none Actually, after an object is replicated, rpuser is deleted (and also other objects of the same tree). Any idea why ? In the log I get : Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "dc=foo,dc=bar" "children" requested Jan 13 16:26:33 node5 slapd[9976]: <= root access granted Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd) Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "uid=rpuser,dc=foo,dc=bar" "entry" requested Jan 13 16:26:33 node5 slapd[9976]: <= root access granted Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd) Jan 13 16:26:33 node5 slapd[9976]: => index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" ) Jan 13 16:26:33 node5 slapd[9976]: <= index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" ) success Jan 13 16:26:33 node5 slapd[9976]: mdb_delete: deleted id=00000007 dn="uid=rpuser,dc=foo,dc=bar" Thanks Le 10/01/2020 à 23:27, Quanah Gibson-Mount a écrit : > > > --On Friday, January 10, 2020 5:48 PM +0100 Vincent Ducot > <[email protected]> wrote: > >> a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky) > > Ah, missed that. > >> b) I tested several possibilities but I didn't manage to make it work. >> Either the problem stayed the same, either the replication didn't work >> anymore, either I couldn't access to rpuser. >> >> I understand that : >> >> >> - rpuser should have read/write access to its password (to >> attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write) >> >> - rpuser should have read/write access to all data (to * by >> dn="uid=rpuser,dc=foo,dc=bar" write) > > Sure, but ACLs stop processing on the first matching rule. Please > review the slapd.access(5) man page. Your ACLsforthe rpuser are never > evaluated since prior rules prevent them being reached. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>
