(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_bind: Insufficient access
Current versions of slapd(8) requires that clients have authentication permission to attribute types used for authentication purposes before accessing them to perform the bind operation. As all bind operations are done anonymously (regardless of previous bind succuss), the auth access must be granted to anonymous.

In the example ACL below grants the following access:

  • to anonymous users:
    • permission to authenticate using values of userPassword
  • to authenticated users:
    • permission to update (but not read) their userPassword
    • permission to read any object excepting values of userPassword
All other access is denied.
  access to attr=userpassword
    by self =w
    by anonymous auth

  access *
    by self write
    by users read

Note that latest versions of slapd(8) will report invalid credentials in cases where the client has insufficient access to complete the operation. This is avoid inappropriate disclosure of the validity of the user's name.
See also: ldapadd(1) ldapdelete(1) ldapmodify(1) ldapmodrdn(1) ldapsearch(1) slapd.conf(5) (Xref) Access Control
[Append to This Answer]
Previous: (Answer) ldap_add/delete/modify/rename: no global superior knowledge
Next: (Answer) ldap_bind: Invalid credentials
This document is: http://www.openldap.org/faq/index.cgi?file=171
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org