Dan Lowe wrote:
Previously, Mathew Hennessy wrote:Thanks for the note. This search was run from a different system, and the sockname/peername thing is in in order to prevent anonymous search results from including *Password attributes..
access to attr=userPassword,ntPassword,lmPassword
by self write
by sockname=127.0.0.1 read
by peername=127.0.0.1 read
by anonymous auth
by * none
ldapsearch -x -h eddie -W -D "uid=hennessy,ou=people,o=netomat.net" uid=hennessy
Are you expecting the sockname/peername to match and grant read access? If so, I think the problem is that you're telling slapd to allow access from 127.0.0.1, but then telling ldapsearch (and, I assume, your other tools) to connect to "eddie". If "eddie" is the main interface on the local host (for example, 1.2.3.4), that's not enough. slapd will get a connection from 1.2.3.4 to 1.2.3.4, rather than 127.0.0.1 -> 127.0.0.1. Does it work any differently if you specify "-h localhost" or "-h 127.0.0.1" ?
Also, running the bind request from localhost fails as well:
:/
I was hoping it would bounce on those, then attempt against anonymous auth.. it seems to actually succeed against anonymous auth (later on in the slapd logs) but then it breaks :/May 29 14:36:49 eddie slapd[24499]: => acl_mask: to all values by "", (=n)
May 29 14:36:49 eddie slapd[24499]: <= check a_dn_pat: self
May 29 14:36:49 eddie slapd[24499]: <= check a_sockname_path: 127.0.0.1
May 29 14:36:49 eddie slapd[24499]: <= check a_peername_path: 127.0.0.1
May 29 14:36:49 eddie slapd[24499]: <= check a_dn_pat: anonymous
May 29 14:36:49 eddie slapd[24499]: <= acl_mask: [4] applying auth (=x)
Notice how it skipped right over the two 127.0.0.1 directives and they did not match. I'd say either redefine the ACL to use both 127.0.0.1 and eddie's IP, or tell your tools to connect to 127.0.0.1/localhost.
Cheers, - Matt