Hi,
Thanks for quick response in both IRC and forums.
Please find the following test ACL policies which am trying to convert.
olcAccess: to dn.subtree="dc=test,dc=com" attrs=userPassword
by dn.exact="cn=repl,dc=test,dc=com" write
by group.exact="cn=DirectoryAdmins,ou=Groups,dc=test,dc=com" write
by dn.children="ou=DirectoryAdmins,dc=test,dc=com" write
by self write
by anonymous auth (( need to find))
by * none
I.
aci: (target = "ldap:///dc=test,dc=com")(targetattr = "userPassword")(version 3.0; acl "ACI for userPassword attribute";
allow(write) (userdn = "ldap:///cn=repl,dc=test,dc=com") OR
(groupdn = "ldap:///cn=DirectoryAdmins,ou=Groups,dc=test,dc=com") OR
(groupdn = "ldap:///ou=DirectoryAdmins,dc=test,dc=com") OR
(userdn = "ldap:///self");)
## TODO:
## read and search opeartions are there need to verify with auth
# aci: (targetattr = "userPassword")(version 3.0; acl "Enable only auth for anonymous";
# allow(read, search) userdn= "ldap://anyone")
aci: (targetattr = "userPassword")(version 3.0; acl "Disable for all other users";
deny(all) (userdn= "ldap:///all");)
II. With multiple allow in one rule:
aci: (target = "ldap:///dc=test,dc=com")(targetattr = "userPassword")(version 3.0; acl "ACI for userPassword attribute";
allow(write) (userdn = "ldap:///cn=repl,dc=test,dc=com"); allow(write)(groupdn = "ldap:///cn=DirectoryAdmins,ou=Groups,dc=test,dc=com"); allow(write)(groupdn = "ldap:///ou=DirectoryAdmins,dc=test,dc=com"); allow(write)(userdn = "ldap:///self");)
Kindly can you review and let me know if i am wrong.
Thanks & Regards
Cooldharma06