On Tue, Feb 15, 2011 at 3:20 PM, Andrew Findlay
<andrew.findlay@skills-1st.co.uk> wrote:
On Tue, Feb 15, 2011 at 02:52:19PM -0200, Leonardo Carneiro wrote:
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database bdb
>
> # The base of your directory in database #1
> suffix dc=dominio,dc=com,dc=br
OK so far, but this is your complete set of ACLs:
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> #access to * by anonymous read
> # by dn="cn=root,dc=dominio,dc=com,dc=br" write
> # by anonymous auth
> # by self write
> # by * none
>
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> ######### this last entry was commented. i uncommented to check if would
> change anything, but it haven't.
>
> # The admin dn has full write access, everyone else
> # can read everything.
> #access to *
> # by dn="cn=admin,dc=nodomain" write
> # by * read
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> # by dn="cn=admin,dc=nodomain" write
> # by dnattr=owner write
The commented-out userPassword clause is getting close, but
does not actually control userPassword...
I suggest you add this after the 'access to dn.base="" by * read' line:
access to attrs="userPassword"
by self =w
by * auth
access to * by * read
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
|
http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
(reply to all now)
Hmm, still did not worked.
If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the password, the search goes ok. if i do not specify, is asks me for a sasl/md5 authentication and fails, and just asks for a password. if i include a '-x' parameter, also does not work:
chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)' -LLL -x
filter: (objectclass=*)
requesting: All userApplication attributes
No such object (32)