Hi, +1 and.. A good way to think the acl rules construction is to say: 1/ the rules lines are scanned from top to bottom 2/ Every line is scanned from left to right 3/ When ldap query match one rule the scan process is *immediately* stopped. In this this case: "access to * by * write by anonymous none""by anonymous" is *never* scanned because it is at the right of "by *" who match everything
Cheers. Le 23/09/2015 11:29, Michael Ströder a écrit :
Dario Zanzico wrote:On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote:I struggle with the ACLs, I whant a special account to check the username and PW of the entries on the LDAP-server. Therefore I’ve written the following in the slapd.conf file: access to attrs=userPassword by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write by self write by anonymous nonethis acl makes everyone able to write everything (except the password that can be written by cn=authenticate and self), and makes it impossible to bind not-anonimously if you want users to be able to authenticate you shoud give 'anonymous' users auth permissions to the userpassword attr: access to attrs=userpassword # allow connections to bind as user by anonymous auth # allow self password change by self write # allow cn=authenticate password change by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" writeAlso note that "write" also includes "read" access which is not necessary. Better use privileges. I've compiled some of my usual simple patterns into this example config: https://build.opensuse.org/package/view_file/home:stroeder:branches:network:ldap/openldap2/slapd.conf.example?expand=1 YMMV. So everybody caring for real access control should really dive into slapd.access(5) [1]. [1] http://www.openldap.org/software/man.cgi?query=slapd.access Ciao, Michael.
-- *Abdelhamid Meddeb* http://www.meddeb.net