Re: Problem with ACLs

[Bill Bradford <mrbill@mrbill.net>]

On Fri, Aug 31, 2018 at 11:05:34AM -0700, Quanah Gibson-Mount wrote:
> Hi Bill,
>
> As was noted to you yesterday on the IRC channel, slapacl takes the 
> same -f/-F flags as the other slap* commands.  So if you are using a 
> cn=config based server, then you use -F /path/to/configuration.

Quanah,

*facepalm* my mistake.

Got further this time.  slapacl says it should work:

[root@hou-1 openldap]# slapacl -F /etc/openldap/slapd.d -v -D
"uid=romanager,ou=Users,dc=domain,dc=com" -b
"employeeNumber=413111,ou=people,dc=domain,dc=com" userPassword/read
authcDN: "uid=romanager,ou=users,dc=domain,dc=com"
read access to userPassword: ALLOWED

But when I try to look up data with ldapsearch, as that user:

$ ldapsearch -x -W -H ldaps://hou-1.master.ldap.prod.domain.com -D
"uid=romanager,ou=Users,dc=domain,dc=com" -b "ou=people,dc=domain,dc=com" -s
sub employeeNumber=413111
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

It works as RootDN of course:

$ ldapsearch -x -W -H ldaps://hou-1.master.ldap.prod.domain.com -D
"cn=manager,dc=domain,dc=com" -b "ou=people,dc=domain,dc=com" -s sub
employeeNumber=1809 |grep userPassword
Enter LDAP Password:
userPassword:: PASSWORDHASH-SANITIZED

HOWEVER, I can set up a profile in Apache Directory Sudio with the same
user (uid=romanager,ou=Users,dc=domain,dc=com) as BindDN, WITH password, 
click "Check Authentication" and it passes the test, and connect/bind to
the directory as that user.. but then it will only show me userPassword
for the user I used for BindDN itself, and none else.

I can connect with ADS using the RootDN info as BindDN and see all info
for every user, as expected.

Thank y'all for all of the help so far.  It's really appreciated.

Even if I've made a couple of stupid goof mistakes.

Bill

--
Bill Bradford
Houston, Texas USA