On Mon, Nov 21, 2016 at 12:45 PM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, November 21, 2016 6:41 PM +0100 Michael Ströder michael@stroeder.com wrote:
Matty wrote:
I am testing some OpenLDAP ACLs and stumbled on a weird issue. My configuration has the following ACL defined:
access to * by users read by peername.ip=1.2.3.4 read by * none
^^^^You probably want "auth" in this last <who> clause.
Ciao, Michael.
or: by anonymous auth by * none
may be closer.
That works as well but I'm still not real clear why running:
$ ldapsearch -b 'dc=foo,dc=com' -x -h ldap1 -W -D 'uid=bingo,ou=users,dc=foo,dc=com' '(objectClass=*)'
Results in an anonymous bind:
Nov 16 09:50:02 tulip slapd[17803]: => acl_get: [2] attr userPassword Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: access to entry "uid=bingo,ou=users,dc=foo,dc=com", attr "userPassword" requested Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: to value by "", (=0)
Does anyone happen to know why "acl_mask: to value by" shows "" instead of the dn of the user passed to the "-D" option? The suggestions above work but I am still curious why the anonymous bind is occurring.
Thanks for the awesome feedback, - Ryan