On Fri, Aug 31, 2018 at 11:33:59AM -0700, Quanah Gibson-Mount wrote:
Hi Bill, This has nothing to do with ACLs. You failed to even bind to the server. This means that either: (a) The user DN provided to the -D option does not exist on the ldapserver or (b) you provided the wrong password for the user --Quanah
RESOLVED!
So this apparently boils down to something wrong with how I created the new account. No idea why I could bind w/ADS but not ldapsearch, but anyway:
When I added an ACL for *my* user account to be able to read everything, and bound using MY account and password (instead of the new account), EVERYTHING works as expected - full access to other user's password hashes, but no ability to make changes.
So I just need to figure out what went wrong there and fix it, and that's all on my end.
Thanks again everyone for your help.
Bill