https://bugs.openldap.org/show_bug.cgi?id=9256
--- Comment #17 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- In the patch, the line: +attribute of the authorizing identity and/or on the ends with a space.
Moreover, https://www.openldap.org/doc/admin25/access-control.html#Basic%20ACLs states:
Generally one should start with some basic ACLs such as:
access to attrs=userPassword by self =xw by anonymous auth by * none
access to * by self write by users read by * none
Per https://bugs.openldap.org/show_bug.cgi?id=9657, for SIMPLE bind, anonymous needs auth access only to the userPassword attribute, but for SASL bind, anonymous needs access to the whole entry.
I propose removing "by * none", as it is implicit.
I propose extending the patch, to state for this particular example, that the example is suitable for SIMPLE bind, and unsuitable for SASL bind. (well “access to attrs=userPassword by self =xz” shall still be preserved). Provide example that works with SASL bind, e.g.
access to attrs=userPassword by self =xw
access to * by anonymous auth by self write by users read
(without by * none, since it is explicit).