On Fri, Aug 31, 2018 at 08:23:37AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, August 30, 2018 3:17 PM -0500 Bill Bradford
> by dn="cn=Manager,dc=domain,dc=com" write
This should also be dn.exact
I'll fix that. but this user (rootDN) has the required privs and
already works fine so far for a couple of years now.
> by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com"
Are you sure this is the DN returned by ldapwhoami?
I'm not logging in to a Linux box as this user; I'm using this DN as
credentials (in Apache Directory Studio, ldapsearch, etc) and connecting
just fine - just not with the ability to read other user's passwords.
Past that, I'd suggest you test with slapacl and potentially ACL
See reply I just sent to Jason about slapacl not behaving.
Thanks. I hope to be able to hammer this out today. My end result is
to have a user with all the privs of the RootDN, but as "read-only" and
without the ability to make any changes - so that we don't have to give
out the RootDN and password to apps that want to authenticate against LDAP.
Houston, Texas USA