Hi Holger,
I'd try with the following ACLs:
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
access to * by dn="cn=admin,dc=example,dc=com" write by users read by * none
This way you'll be allowing unauthenticated users to log in using their password fields and you'll restrict read access on the rest of the base to authenticated users. The first ACL also allows users to change their own passwords (write in the userPassword and shadowLastChange attributes).
2010/9/29 Holger Schier hschier@mathematik.uni-mainz.de:
Hey guys,
I am working with the LSEE 11 and trying to run a LDAP server. From scratch on everything went fine. With the standard configuration I can login, but if I use the LDAP Browser and hit anonymous access, I can see my whole LDAP tree. User name, mailaddresses and so on. And I am not happy with it.
So I tried to change the access control from access to * by * read to access to * by * auth or access to * by * search
The user password is already in auth mode.
But with every other configuration instead of read, I cannot login anymore. Insufficient access. After the first try with auth I read the log files and saw that there is a search operation. So i switched to search. Now the server denies some read operations.
So, my questions are: Is it just normal that anyone can see the LDAP tree? Is there any other option to hide my tree? And what attributes have to be readable to login?
Thanks a lot. Holger