Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
Dieter Kluenter wrote:
Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to dn.subtree="ou=System,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
by users read
access to *
by self write
by users read
by * none
This access rules will not allow anonymous auth access to basedn special
attribute entry,
=> hdb_dn2id("uid=matt,ou=users,dc=example,dc=com")
<= hdb_dn2id: got id=0x5
entry_decode: ""
<= entry_decode()
send_ldap_result: conn=0 op=1 p=3
SASL [conn=0] Failure: no secret in database
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 62 bytes to sd 16
<== slap_sasl_bind: rc=49
[...]
sasl reports 'no secret in database, check your access rules!
[...]
Please run slapd in debugging mode acl, this will show you the applied
access rules. You should see something like this:
acl_mask: access to entry "o=avci,c=de", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
[...]
acl_mask: access to entry "cn=admanager,o=avci,c=de", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
[...]
=> access_allowed: auth access to "cn=admanager,o=avci,c=de" "userPassword" requested
=> acl_get: [1] attr userPassword
[...]