Dear Pierangelo,
Thanks a lot for the reply. It is explaining the cause of the problem. I did read the man page for slapd.access but missed this particular bit.
So I do not have to give read access to anonymous for base. only search is enough as following.
access to dn.base="o=abc, c=IN" by anonymous search by * none
I tested it successfully.
-- Regards, Sachin Divekar
On Sun, Dec 23, 2012 at 1:08 PM, Pierangelo Masarati < masarati@aero.polimi.it> wrote:
Dear all,
I have a setup of **OpenLDAP v2.3** which I am using for last few years. Following are the lines in `slapd.conf` for access control.
access to dn.one="o=abc, c=IN" by * read access to dn.base="o=abc, c=IN" by * noneWhen I do ldapsearch using anonymous bind gives me result.
For example following command gives result.
ldapsearch -x -h localhost -b "o=abc,c=IN"Now I upgraded the OS, CentOS from 5.5 to 6.3 so the version of OpenLDAP is **OpenLDAP v2.4**. We have not changed the schema.
But now the same `ldapsearch` gives me `result: 32 No such object` error.
But it works when I added following line in access control configuration.
access to dn.one="o=abc, c=IN" by * read access to dn.base="o=abc, c=IN" by anonymous read by * noneWhat can be the reason? Is there any security risk in doing so?
man slapd.access(5):
[...]
The search operation, requires search (=s) privileges on the entry pseudo-attribute of the searchBase (NOTE: this was introduced with OpenLDAP 2.4).
[...]
p.
Thank you.
-- Regards, Sachin Divekar
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano