8

This is a part from olcDatabase={1}hdb.ldif

olcAccess: {0}to attrs=userPassword,shadowLastChange
 by self write
 by anonymous auth
 by dn="cn=admin,dc=somesite,dc=com" write
 by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
 by self write
 by dn="cn=admin,dc=somesite,dc=com" write
 by * read

I would like to append by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write to the {0} and {2} line.

Before I destroy my LDAP server, is the following LDIF correct?

dn: olcDatabase{1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=somesite,dc=com" write
        by dn="uid=anotheruser,ou=Users,dc=somesite,dc=com" write
        by anonymous auth
        by self write
        by * none
olcAccess: {2}to *
 by self write
 by dn="cn=admin,dc=somesite,dc=com" write
 by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write
 by * read

With: ldapmodify -Y EXTERNAL -H ldapi:/// -f ./changes.ldif

My concerns are:

  • there are 3 olcAccess: lines, I did not include the {1} line so would it still be there after committing the ldif changes
  • is the replace: olcAccess line correct?
Terence
  • 271
  • 1
  • 2
  • 6
  • 2
    Please tell me this isn't managing `posixAccount` `dn`s. Allowing such a `dn` to change its `uidNumber` and `gidNumber` to 0 is a serious security problem. – 84104 Sep 11 '13 at 18:04

1 Answers1

9

This ldif worked for me, with previous command

dn: olcDatabase{1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=somesite,dc=com" write
        by dn="uid=anotheruser,ou=Users,dc=somesite,dc=com" write
        by anonymous auth
        by self write
        by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
 by self write
 by dn="cn=admin,dc=somesite,dc=com" write
 by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write
 by * read
Terence
  • 271
  • 1
  • 2
  • 6