When working with OpenLDAP's access control lists (ACLs), particularly the olcAccess attributes, it's crucial to understand how modification operations affect the entire attribute set. The original question presents a common scenario where administrators need to append new access rules while preserving existing ones.
Here's the proper way to structure your LDIF file for modifying specific olcAccess entries while keeping others intact:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=somesite,dc=com" write
by dn="uid=anotheruser,ou=Users,dc=somesite,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
by self write
by dn="cn=admin,dc=somesite,dc=com" write
by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write
by * read
When using replace operation with multi-valued attributes like olcAccess:
- The replace operation completely replaces all values of the attribute
- You must include ALL desired values in the modification
- Missing values will be removed from the configuration
Always follow this workflow when modifying ACLs:
# First, export current configuration
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" olcAccess > current_acls.ldif
# Then modify the exported file
nano current_acls.ldif
# Finally apply changes
ldapmodify -Y EXTERNAL -H ldapi:/// -f modified_acls.ldif
For more complex modifications, consider using separate modify operations:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=somesite,dc=com" write
by dn="uid=anotheruser,ou=Users,dc=somesite,dc=com" write
by anonymous auth
by self write
by * none
This method allows you to modify specific indexes without affecting others.
Always verify changes after modification:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" olcAccess
For production environments, consider testing changes on a staging server first or using OpenLDAP's built-in configuration checking:
slaptest -v -f /path/to/your/slapd.conf
When working with OpenLDAP's access control lists (olcAccess), administrators often need to modify existing rules without disrupting other access controls. The key challenge is maintaining all existing rules while adding new ones.
Your current access rules in olcDatabase={1}hdb.ldif contain three distinct entries:
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=somesite,dc=com" write
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
by self write
by dn="cn=admin,dc=somesite,dc=com" write
by * readYour proposed LDIF file is almost correct, but needs these adjustments:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=somesite,dc=com" write
by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
by self write
by dn="cn=admin,dc=somesite,dc=com" write
by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write
by * read
1. Complete Replacement Requirement: The replace operation completely replaces all olcAccess attributes, so you must include all existing rules (including {1}) in your LDIF.
2. Order Matters: OpenLDAP evaluates rules in order, so place more specific rules before general ones.
3. Syntax Verification: Always test with ldapmodify -n (dry-run) before applying changes:
ldapmodify -Y EXTERNAL -H ldapi:/// -f ./changes.ldif -nFor simpler modifications, consider adding new rules without replacing all existing ones:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to attrs=userPassword,shadowLastChange
by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" write
-
add: olcAccess
olcAccess: {4}to *
by dn="cn=anotheruser,ou=Users,dc=somesite,dc=com" writeThis method preserves existing rules while adding new ones, though it may require subsequent reorganization.
Always verify changes with:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" olcAccessThis confirms your modifications while displaying the complete current access control configuration.