On Mon, Nov 21, 2016 at 12:45 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote:
> --On Monday, November 21, 2016 6:41 PM +0100 Michael Ströder
> <michael(a)stroeder.com> wrote:
>
>> Matty wrote:
>>>
>>> I am testing some OpenLDAP ACLs and stumbled on a weird issue. My
>>> configuration has the following ACL defined:
>>>
>>> access to *
>>> by users read
>>> by peername.ip=1.2.3.4 read
>>> by * none
>>
>> ^^^^
>> You probably want "auth" in this last <who> clause.
>>
>> Ciao, Michael.
>>
>
> or:
> by anonymous auth
> by * none
>
> may be closer.
That works as well but I'm still not real clear why running:
$ ldapsearch -b 'dc=foo,dc=com' -x -h ldap1 -W -D
'uid=bingo,ou=users,dc=foo,dc=com' '(objectClass=*)'
Results in an anonymous bind:
Nov 16 09:50:02 tulip slapd[17803]: => acl_get: [2] attr userPassword
Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: access to entry
"uid=bingo,ou=users,dc=foo,dc=com", attr "userPassword" requested
Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: to value by "", (=0)
Does anyone happen to know why "acl_mask: to value by" shows ""
instead of the dn of the user passed to the "-D" option? The
suggestions above work but I am still curious why the anonymous bind
is occurring.
Thanks for the awesome feedback,
- Ryan