On Mon, Jan 02, 2017 at 08:27:29AM +0100, Pascal Jakobi wrote:
My LDAP ACLs are as follows :
Just as a reference, the ACLs we use are:
access to attrs=userPassword by anonymous auth
access to dn.subtree="cn=container,ou=kerberos" by dn="cn=kdc,ou=service,ou=kerberos" write by dn="cn=kadmin,ou=service,ou=kerberos" write by * none break
access to dn.exact="ou=kerberos" attrs=entry,contextCSN,objectClass by dn="cn=slapd-checksync,ou=service,ou=kerberos" read by * none break
access to * by dn.exact="cn=slapd-syncrepl,ou=service,ou=kerberos" read by * none
We've never had an issue. The first stanza allows the various service accounts to authenticate, the second provides access to the kdc and kadmin services, the third to a replication check account, and the last to the syncrepl service. We run separate dedicated ldap servers for our kerberos backends on each kdc, we don't mix the kerberos ldap data into our normal ldap systems.