On Tue, Feb 15, 2011 at 3:20 PM, Andrew Findlay < andrew.findlay@skills-1st.co.uk> wrote:
On Tue, Feb 15, 2011 at 02:52:19PM -0200, Leonardo Carneiro wrote:
####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb
# The base of your directory in database #1 suffix dc=dominio,dc=com,dc=br
OK so far, but this is your complete set of ACLs:
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only #access to * by anonymous read # by dn="cn=root,dc=dominio,dc=com,dc=br" write # by anonymous auth # by self write # by * none
# Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read
######### this last entry was commented. i uncommented to check if would change anything, but it haven't.
# The admin dn has full write access, everyone else # can read everything. #access to * # by dn="cn=admin,dc=nodomain" write # by * read
# For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=nodomain" write # by dnattr=owner write
... so all you have is anon access to the null DN.
The commented-out userPassword clause is getting close, but does not actually control userPassword...
I suggest you add this after the 'access to dn.base="" by * read' line:
access to attrs="userPassword" by self =w by * auth
access to * by * read
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
(reply to all now) Hmm, still did not worked.
If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the password, the search goes ok. if i do not specify, is asks me for a sasl/md5 authentication and fails, and just asks for a password. if i include a '-x' parameter, also does not work:
chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)' -LLL -x ldap_initialize( ldap://192.168.0.2 ) filter: (objectclass=*) requesting: All userApplication attributes No such object (32)