Re: Trying to figure out access policies

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:38 AM 6/27/2006, Jason Lixfeld wrote:
>I think I'm somewhat versed in the basics of OpenLDAP, but the  
>concept of access policies eludes me because they are far beyond my  
>current level of comprehension.  That being said, I'm doing some  
>trial by fire to try to make sense of how they work and hopefully  
>will then be able to relate some of what I read in the manual to what  
>I've made happen in tests...
>
>I'm trying to get a proxyuser working so I don't have to do  
>everything as Manager.
>
>I put this entry into my slapd.conf as per some tutorials I read:
>
>access to attrs=userPassword
>       by dn="cn=Proxyuser,dc=example,dc=ca" read
>
>and likewise, these entries into my ldap.conf:
>
>binddn cn=Proxyuser,dc=example,dc=ca
>bindpw ****
>rootbinddn cn=Proxyuser,dc=example,dc=ca
>
>and finally, the Proxyuser password in /etc/ldap.secret.

bindpw and rootbinddn are not OpenLDAP configuration directives.
binddn is, but its not relevant here as you used the -D flag
(or were specifying an anonymous bind).  I also do not see the
relevance of a ldap.secret given you didn't tell ldapsearch(1)
to use a password file (via the -y flag).

>Also, I'm a little confused about the difference between binddn and  
>rootbinddn.

Well, given that rootbinddn is not a OpenLDAP ldap.conf(5) directive,
it's ignored.  As was bindpw.  In your use of ldapsearch(1), binddn
directive was ignored because either you provided a binddn or
were specifying an anonymous bind (e.g., no password).

Note that discussion regarding the difference of directives in
non-OpenLDAP software packages (such as PAM/LDAP and NSS/LDAP)
is off-topic here.

- Kurt