Please ask software use questions on the openldap-software mailing list.
As per your question about access control in slapd-ldap(5), the answer is in (guess what?) slapd-ldap(5), in the section entitled (guess what?) "ACCESS CONTROL".
As per your question about other means to deny bind for a subtree, the answer is in slapd.conf(5), about the config statement "restrict".
p.
Daniel Hasler wrote:
Hi
I try to deni BIND for all entries in a subtree. I compiled openldap with the LDAP backend, because this is only a proxy that forwards request to another directory.
Following is my configuration:
include /local/home/hasleda4/openldap/etc/openldap/schema/core.schema include /local/home/hasleda4/openldap/etc/openldap/schema/cosine.schema include /local/home/hasleda4/openldap/etc/openldap/schema/inetorgperson.schema
pidfile /local/home/hasleda4/openldap/var/run/gaad-slapd.pid argsfile /local/home/hasleda4/openldap/var/run/gaad-slapd.args
database ldap suffix "dc=company,dc=com" uri "ldaps://other-dir.net:26930"
access to dn.subtree="ou=people,ou=intranet,dc=company,dc=com" by dn.subtree="ou=applications,ou=intranet,dc=company,dc=com" read by * none access to dn.subtree="ou=applications,ou=intranet,dc=company,dc=com" by users read by anonymous auth by * none access to * by * read
As by the first ACL, anonymous users are not allowed to bind against "ou=people,ou=intranet,dc=novartis,dc=com". If I now try to bind, the ACL seems not to be evaluated (I run slapd with -d 128 to see ACL processing, and there is no output during the BIND) and the BIND operation succeeds if I give the correct password.
Is this a bug? Or just how openldap behaves for bind operations? Is there another way to deny bind operations for a subtree?
Thanks for any response.
Cheers Dani
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------