I'm running Red Hat Enterprise 5 (x86_64) and Openldap version 2.3.27 from official rpms. I have installed openldap, openldap-devel, openldap-clients, and openldap-servers.
The following command:
ldapsearch -x -b "dc=example,dc=com" '(uid=jsmith)'
produces the following results: -- # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (uid=jsmith) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1 --
If I specify the jsmith user (or any other user) using -D -W, I get the same results. If I specify the rootdn user:
ldapsearch -x -D "cn=manager,dc=example,dc=com" -W -b "dc=example,dc=com" '(uid=jsmith)'
I get the following results: -- # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (uid=jsmith) # requesting: ALL #
# jsmith, users, example.com dn: uid=jsmith,ou=users,dc=example,dc=com uid: jsmith cn: jsmith homeDirectory: /home/jsmith uidNumber: xxx objectClass: posixAccount objectClass: shadowAccount objectClass: person gidNumber: xxx gecos: John Smith sn: Smith shadowLastChange: xxx userPassword:: xxx loginShell: /sbin/nologin
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 --
The problem is that I have not disabled annonymous or user access other than to set ACLs for the userPassword field. The user jsmith can't even do a search on himself.
I've tried slapacl and confirmed that annonymous as well as the jsmith user can read the uid field. I even tried reindexing using slapindex, but that didn't work either.
Here is my slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/qmail.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw xxx access to attrs=userPassword by anonymous auth by self write by * none access to attrs=uid by * read directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
Am I missing something??
Thanks!