[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd ACLs
Thank you for your answer Olivier, I tried to do this but it didn't work. The logs look like this
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0
conn=1001 op=0 RESULT tag=97 err=0 text=
conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)"
conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
conn=1001 op=2 UNBIND
I triple checked, and when it works, with the dn.subtree permission in the begining of slapd.conf I have
conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128
conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text=
conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)"
conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1000 op=2 UNBIND
----- Mail original -----
> De : Olivier <ldap@guillard.nom.fr>
> À : Mik J <mikydevel@yahoo.fr>
> Cc :
> Envoyé le : Dimanche 30 septembre 2012 20h29
> Objet : Re: slapd ACLs
>
>T ry to put this rule :
>
>> access to dn.subtree=""
>> by * read
>
> after the two others.
>
> (ionce a rule matches, then the scan stops : order counts)
>
> --
> Olivier
>
> 2012/9/30 Mik J <mikydevel@yahoo.fr>:
>> Hello,
>>
>> I'm a bit confused with the ACLs in my slapd.conf considering I have
> this
>>
>> access to dn.subtree=""
>> by * read
>>
>> access to
> attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
>> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
> write
>> by dn="uid=admin,ou=people,dc=mydomain,dc=org" write
>> by self write
>> by anonymous auth
>> by * none
>>
>> access to *
>> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
> =wrscx
>> by self write
>> by users read
>> by anonymous auth
>> by * none
>>
>>
>> When I do a ldapsearch without authentication, I can see the user's
> details including the unencrypted password
>>
>> ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org"
>> I think that it's because the rule access to dn.subtree="" by
> * read
>> With an authenticated user is works as well
>>
>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
> "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>
>> But if I comment these two lines
>> #access to dn.subtree=""
>> # by * read
>> The search doesn't give me any result
>>
>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
> "uid=user1,ou=people,dc=mydomain,dc=org" -W
>> # search result
>> search: 2
>> result: 32 No such object
>> # numResponses: 1
>>
>> I would have expected that this command matched
>> access to *
>> by users read
>>
>> My goal is that only authenticated user would be able to access the ldap
> directory and users can change their passwords
>>
>> Does anyone has an idea on how to explain this behavior. ?
>>
>> Thank you
>>
>