onslauth/openldap set Secret

## openldap set
CONFIG DB:
----------
# {1}ldif, config
dn: olcDatabase={1}ldif,cn=config
objectClass: olcLdifConfig
olcDatabase: {1}ldif
olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
 /parts/new/instances/test/openldap-data
olcSuffix: dc=example,dc=com
olcAccess: {0}to * by self read by set="[cn=10.0.0.92,ou=servers,dc=example,dc=c
 om]/member* & user" read by * none
olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: random


LDAP DB:
--------
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
description: example.com
o: example.com
dc: example

# access-groups, example.com
dn: ou=access-groups,dc=example,dc=com
objectClass: organizationalUnit
ou: access-groups
description: Access control groups

# Test Users, access-groups, example.com
dn: cn=Test Users,ou=access-groups,dc=example,dc=com
objectClass: groupOfNames
cn: Test Users
description: Test Users
member: uid=aaa,ou=people,dc=example,dc=com

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
description: unix login group

# aaa, groups, example.com
dn: cn=aaa,ou=groups,dc=example,dc=com
objectClass: posixGroup
gidNumber: 10001
memberUid: aaa
cn: aaa

# bbb, groups, example.com
dn: cn=bbb,ou=groups,dc=example,dc=com
objectClass: posixGroup
gidNumber: 10002
memberUid: bbb
cn: bbb

# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
description: people in organization

# servers, example.com
dn: ou=servers,dc=example,dc=com
objectClass: organizationalUnit
ou: servers
description: All computers in organisation

# 10.0.0.92, servers, example.com
dn: cn=10.0.0.92,ou=servers,dc=example,dc=com
objectClass: groupOfNames
cn: 10.0.0.92
description: Allowed access
member: cn=Test Users,ou=access-groups,dc=example,dc=com
member: uid=bbb,dc=example,dc=com

# aaa, example.com
dn: uid=aaa,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
objectClass: shadowAccount
cn: Test User A
sn: A
uid: aaa
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/aaa
loginShell: /usr/local/bin/bash
mail: a@example.com
ou: users
userPassword:: xxx

# bbb, example.com
dn: uid=bbb,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
objectClass: shadowAccount
cn: Test User B
sn: B
uid: bbb
uidNumber: 10002
gidNumber: 10002
homeDirectory: /home/bbb
loginShell: /usr/local/bin/bash
mail: b@example.com
ou: users
userPassword:: xxx

Command:
--------
$ ldapsearch -x -D "uid=bbb,dc=example,dc=com" -W -b dc=example,dc=com
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


Output from log:
----------------
56c4857b => access_allowed: result not in cache (userPassword)
56c4857b => access_allowed: auth access to "uid=bbb,dc=example,dc=com" "userPassword" requested
56c4857b => acl_get: [1] attr userPassword
56c4857b => acl_mask: access to entry "uid=bbb,dc=example,dc=com", attr "userPassword" requested
56c4857b => acl_mask: to value by "", (=0)
56c4857b <= check a_dn_pat: self
56c4857b <= check a_set_pat: [cn=10.0.0.92,ou=servers,dc=example,dc=com]/member* & user
56c4857b   ACL set[0]=cn=test users,ou=access-groups,dc=example,dc=com
56c4857b   ACL set[1]=uid=bbb,dc=example,dc=com
56c4857b   ACL set[0]=cn=test users,ou=access-groups,dc=example,dc=com
56c4857b   ACL set[1]=uid=bbb,dc=example,dc=com
56c4857b   ACL set[2]=uid=aaa,ou=people,dc=example,dc=com
56c4857b <= check a_dn_pat: *
56c4857b <= acl_mask: [3] applying none(=0) (stop)
56c4857b <= acl_mask: [3] mask: none(=0)
56c4857b => slap_access_allowed: auth access denied by none(=0)
56c4857b => access_allowed: no more rules
	CONFIG DB:
	----------
	# {1}ldif, config
	dn: olcDatabase={1}ldif,cn=config
	objectClass: olcLdifConfig
	olcDatabase: {1}ldif
	olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
	/parts/new/instances/test/openldap-data
	olcSuffix: dc=example,dc=com
	olcAccess: {0}to * by self read by set="[cn=10.0.0.92,ou=servers,dc=example,dc=c
	om]/member* & user" read by * none
	olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none
	olcRootDN: cn=Manager,dc=example,dc=com
	olcRootPW: random


	LDAP DB:
	--------
	# example.com
	dn: dc=example,dc=com
	objectClass: dcObject
	objectClass: organization
	description: example.com
	o: example.com
	dc: example

	# access-groups, example.com
	dn: ou=access-groups,dc=example,dc=com
	objectClass: organizationalUnit
	ou: access-groups
	description: Access control groups

	# Test Users, access-groups, example.com
	dn: cn=Test Users,ou=access-groups,dc=example,dc=com
	objectClass: groupOfNames
	cn: Test Users
	description: Test Users
	member: uid=aaa,ou=people,dc=example,dc=com

	# groups, example.com
	dn: ou=groups,dc=example,dc=com
	objectClass: organizationalUnit
	ou: groups
	description: unix login group

	# aaa, groups, example.com
	dn: cn=aaa,ou=groups,dc=example,dc=com
	objectClass: posixGroup
	gidNumber: 10001
	memberUid: aaa
	cn: aaa

	# bbb, groups, example.com
	dn: cn=bbb,ou=groups,dc=example,dc=com
	objectClass: posixGroup
	gidNumber: 10002
	memberUid: bbb
	cn: bbb

	# people, example.com
	dn: ou=people,dc=example,dc=com
	objectClass: organizationalUnit
	ou: people
	description: people in organization

	# servers, example.com
	dn: ou=servers,dc=example,dc=com
	objectClass: organizationalUnit
	ou: servers
	description: All computers in organisation

	# 10.0.0.92, servers, example.com
	dn: cn=10.0.0.92,ou=servers,dc=example,dc=com
	objectClass: groupOfNames
	cn: 10.0.0.92
	description: Allowed access
	member: cn=Test Users,ou=access-groups,dc=example,dc=com
	member: uid=bbb,dc=example,dc=com

	# aaa, example.com
	dn: uid=aaa,dc=example,dc=com
	objectClass: inetOrgPerson
	objectClass: posixAccount
	objectClass: ldapPublicKey
	objectClass: shadowAccount
	cn: Test User A
	sn: A
	uid: aaa
	uidNumber: 10001
	gidNumber: 10001
	homeDirectory: /home/aaa
	loginShell: /usr/local/bin/bash
	mail: a@example.com
	ou: users
	userPassword:: xxx

	# bbb, example.com
	dn: uid=bbb,dc=example,dc=com
	objectClass: inetOrgPerson
	objectClass: posixAccount
	objectClass: ldapPublicKey
	objectClass: shadowAccount
	cn: Test User B
	sn: B
	uid: bbb
	uidNumber: 10002
	gidNumber: 10002
	homeDirectory: /home/bbb
	loginShell: /usr/local/bin/bash
	mail: b@example.com
	ou: users
	userPassword:: xxx

	Command:
	--------
	$ ldapsearch -x -D "uid=bbb,dc=example,dc=com" -W -b dc=example,dc=com
	Enter LDAP Password:
	ldap_bind: Invalid credentials (49)


	Output from log:
	----------------
	56c4857b => access_allowed: result not in cache (userPassword)
	56c4857b => access_allowed: auth access to "uid=bbb,dc=example,dc=com" "userPassword" requested
	56c4857b => acl_get: [1] attr userPassword
	56c4857b => acl_mask: access to entry "uid=bbb,dc=example,dc=com", attr "userPassword" requested
	56c4857b => acl_mask: to value by "", (=0)
	56c4857b <= check a_dn_pat: self
	56c4857b <= check a_set_pat: [cn=10.0.0.92,ou=servers,dc=example,dc=com]/member* & user
	56c4857b ACL set[0]=cn=test users,ou=access-groups,dc=example,dc=com
	56c4857b ACL set[1]=uid=bbb,dc=example,dc=com
	56c4857b ACL set[0]=cn=test users,ou=access-groups,dc=example,dc=com
	56c4857b ACL set[1]=uid=bbb,dc=example,dc=com
	56c4857b ACL set[2]=uid=aaa,ou=people,dc=example,dc=com
	56c4857b <= check a_dn_pat: *
	56c4857b <= acl_mask: [3] applying none(=0) (stop)
	56c4857b <= acl_mask: [3] mask: none(=0)
	56c4857b => slap_access_allowed: auth access denied by none(=0)
	56c4857b => access_allowed: no more rules