[Date Prev][Date Next] [Chronological] [Thread] [Top]

newbie question: No anonymous authentication = problems


I hope I am on the right list for questions like this. I manage a
OpenLDAP server installation on Ubuntu 8.10, and when I upgraded from
8.04 the configuration changed quite a bit.

I am trying to turn off anonymous access, but I get problems
connecting to the ldap database even when not using anonymous bind.

I managed to find the configuration options I was looking for (at
least i think so) with phpldapadmin. I found an object with dn
olcDatabase={1}bdb,cn=config, in which I found an attribute called
olcAccess, which I think is what I need to change. From the beginning
it said:

{0}to attrs=userPassword,shadowLastChange  by
dn.base="cn=manager,dc=mydomain,dc=com" write  by anonymous auth  by
self write  by * none
{1}to dn.base=""  by * read
{2}to *  by dn.base="cn=manager,dc=mydomain,dc=com" write  by * read

(of course with my dc values).

I tried to change the last entry to by * none, as I do not right now
need my users to be able to read their or other users' values. It
worked as expected, from an LDAP point of view, I still could log in
anonymously, but I could not browse the database, however, logged in
as manager it worked as it should.

The problem came in postfix, because I use my LDAP database (among
other things) as an alias table. So I configured postfix not to bind
anonymously, but to use
server_host = localhost
server_port = 389
search_base = dc=mydomain, dc=com
bind = yes
bind_dn = cn=manager, dc=mydomain, dc=com
bind_pw = mysecret
result_attribute = mail
query_filter = (|(uid=%s)(mailAlias=%s))

But I got
dict_ldap_lookup: Search error 50: Insufficient access
from the mail.log

When I changed back, it worked again. I have tried to change various
things (such as put in by anonymous auth before by * read, and
changing dc.base="..." to dc="..." both in the first and in the last
attribute value above, but it does not seem to change. What am I doing
wrong? Any help would be much appreciated.

Best regards,