Jittinan Suwanrueangsri jittinan2@gmail.com writes:
Dieter Kluenter wrote:
Jittinan Suwanrueangsri jittinan2@gmail.com writes:
access to attrs=userPassword by self write by anonymous auth by * none access to dn.subtree="ou=System,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write by users read access to * by self write by users read by * none
This access rules will not allow anonymous auth access to basedn special attribute entry,
=> hdb_dn2id("uid=matt,ou=users,dc=example,dc=com") <= hdb_dn2id: got id=0x5 entry_decode: "" <= entry_decode() send_ldap_result: conn=0 op=1 p=3 SASL [conn=0] Failure: no secret in database send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 62 bytes to sd 16 <== slap_sasl_bind: rc=49
[...]
sasl reports 'no secret in database, check your access rules! [...]
Please run slapd in debugging mode acl, this will show you the applied access rules. You should see something like this:
acl_mask: access to entry "o=avci,c=de", attr "entry" requested
=> acl_mask: to all values by "", (=0) <= check a_dn_pat: users <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) => slap_access_allowed: auth access granted by auth(=xd) [...]
acl_mask: access to entry "cn=admanager,o=avci,c=de", attr "objectClass" requested
=> acl_mask: to all values by "", (=0) <= check a_dn_pat: users <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) [...] => access_allowed: auth access to "cn=admanager,o=avci,c=de" "userPassword" requested => acl_get: [1] attr userPassword [...]