0

I'm writing a utility (in Perl) that needs access to attribute olcPPolicyDefault that defines the DN of the default password policy in OpenLDAP. As the utility should not use the Admin or cn=config account to bind to the OpenLDAP server (2.4.41 of SLES12, BTW), I defined a separate account uid=PP-Checker,... for access.

As I did not want to code the exact context (olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config) into the ACL, I had tried a filter:

...
olcAccess: {2}to filter=(&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*))
 attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,..." read by * break

However that did not allow access. So I tried to add access to the parent context like this:

...
olcAccess: {1}to dn.subtree="cn=config" by dn.exact="uid=PP-Checker,..." search by * break
olcAccess: {2}to filter=(&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*))
 attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,..." read by * break

So the obvious questons are:

  1. Is the ACL correct, and if not: How to do it correctly?
  2. If the ACL is correct, is it defined in the correct context (olcDatabase={0}config,cn=config)
Improve this question

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.