Re: ACLs being ignored with rwm/relay

[Tim Watts <tw@dionic.net>]

On 21/06/12 13:48, Howard Chu wrote:
> Tim Watts wrote:
> > Hi,
> >
> > Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!
> >
> > ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk
> > -b dc=cch,dc=kcl,dc=ac,dc=uk
> >
> > does not return userPassword attributes (the -D is convenience, no auth
> > is performed).
> >
> >
> > However,
> >
> > ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b
> > dc=cch,dc=kcl,dc=ac,dc=uk
> >
> > Does return userPassword - which is what I want. The UNIX domain socket
> > is protected under a root directory mode 700 so only root can connect
> > this way - ie, local root use has full unauthenticated access to ldap
> > which is what I want, so that scripts may easily be run to maintain the
> > LDAP database.
>
> The -D is meaningless in both cases. You're clearly using SASL Binds
> (using Simple binds would require a -x) and SASL Binds always ignore the
> Bind DN.

Thanks Howard,

LDAP auth (esp SASL) is a mystery to me as of now - that's the next bit 
I will have to grok after getting the thing to dish up directories in 
the right way :)

--
Tim Watts
Personal Blog: http://www.dionic.net/tim/