Re: ACLs whont work

Dario Zanzico wrote: > On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote: >> I struggle with the ACLs, I whant a special account to check the username >> and PW of the entries on the LDAP-server. >> Therefore I’ve written the following in the slapd.conf file: >> >> access to attrs=userPassword >> by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write >> by self write >> by anonymous none > > this acl makes everyone able to write everything (except the password > that can be written by cn=authenticate and self), > and makes it impossible to bind not-anonimously > > if you want users to be able to authenticate you shoud give 'anonymous' > users auth permissions to the userpassword attr: > > access to attrs=userpassword > # allow connections to bind as user > by anonymous auth > # allow self password change > by self write > # allow cn=authenticate password change > by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write Also note that "write" also includes "read" access which is not necessary. Better use privileges. I've compiled some of my usual simple patterns into this example config: https://build.opensuse.org/package/view_file/home:stroeder:branches:netwo... YMMV. So everybody caring for real access control should really dive into slapd.access(5) [1]. [1] http://www.openldap.org/software/man.cgi?query=slapd.access Ciao, Michael.