On Fri, Aug 31, 2018 at 08:23:37AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, August 30, 2018 3:17 PM -0500 Bill Bradford mrbill@mrbill.net wrote:
by dn="cn=Manager,dc=domain,dc=com" write
This should also be dn.exact
I'll fix that. but this user (rootDN) has the required privs and already works fine so far for a couple of years now.
by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
Are you sure this is the DN returned by ldapwhoami?
I'm not logging in to a Linux box as this user; I'm using this DN as credentials (in Apache Directory Studio, ldapsearch, etc) and connecting just fine - just not with the ability to read other user's passwords.
Past that, I'd suggest you test with slapacl and potentially ACL level debugging.
See reply I just sent to Jason about slapacl not behaving.
Thanks. I hope to be able to hammer this out today. My end result is to have a user with all the privs of the RootDN, but as "read-only" and without the ability to make any changes - so that we don't have to give out the RootDN and password to apps that want to authenticate against LDAP.
Bill