I want to add an ACL for a sub organization on my OpenLDAP.

This is their ACL documentation: https://www.openldap.org/doc/admin24/access-control.html

I am using ldapmodify to update the ldap db on a running OpenLDAP instance.

This is the ldif file I have imported:

vim ro_access.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to dn.children="ou=users,dc=example,dc=com" by dn.exact="cn=workstation,ou=applications,dc=example,dc=com" read

I expect

• has cn=workstation,ou=applications,dc=example,dc=com to be able to read children under ou=users,dc=example,dc=com
• has auth to have the preceding default behavior.
• has anonymous to have the preceding default behavior.

I have

• ldapwhoami working with cn=workstation,ou=applications,dc=example,dc=com
• ldapsearch failing returning result uid=someone,ou=users,dc=example,dc=com with cn=workstation,ou=applications,dc=example,dc=com

Edit

I have tried to replace olcAccess {1} with {2} and {2} with {1}.

This is the full replaced ACL and it also does not work:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn
 =admin,dc=example,dc=com" write by dn="cn=ropw,dc=example,dc=co
 m" read by anonymous auth by * none 
olcaccess: {1}to dn.children="ou=users,dc=example,dc=com" by dn
 .exact="cn=workstation,ou=applications,dc=example,dc=com" read
olcaccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write
  by dn="cn=ro,dc=example,dc=com" read by dn="cn=ropw,dc=exam
 ple,dc=com" read by * none 

Any Idea why?

Solution 1:

Try adding by anonymous auth by * none at the end of your ACL directive:

olcAccess: {1}to dn.children="ou=users,dc=example,dc=com" by dn
 .exact="cn=workstation,ou=applications,dc=example,dc=com" read
by anonymous auth by * none