On Fri, Aug 31, 2018 at 11:05:34AM -0700, Quanah Gibson-Mount wrote:
Hi Bill,
As was noted to you yesterday on the IRC channel, slapacl takes the same -f/-F flags as the other slap* commands. So if you are using a cn=config based server, then you use -F /path/to/configuration.
Quanah,
*facepalm* my mistake.
Got further this time. slapacl says it should work:
[root@hou-1 openldap]# slapacl -F /etc/openldap/slapd.d -v -D "uid=romanager,ou=Users,dc=domain,dc=com" -b "employeeNumber=413111,ou=people,dc=domain,dc=com" userPassword/read authcDN: "uid=romanager,ou=users,dc=domain,dc=com" read access to userPassword: ALLOWED
But when I try to look up data with ldapsearch, as that user:
$ ldapsearch -x -W -H ldaps://hou-1.master.ldap.prod.domain.com -D "uid=romanager,ou=Users,dc=domain,dc=com" -b "ou=people,dc=domain,dc=com" -s sub employeeNumber=413111 Enter LDAP Password: ldap_bind: Invalid credentials (49)
It works as RootDN of course:
$ ldapsearch -x -W -H ldaps://hou-1.master.ldap.prod.domain.com -D "cn=manager,dc=domain,dc=com" -b "ou=people,dc=domain,dc=com" -s sub employeeNumber=1809 |grep userPassword Enter LDAP Password: userPassword:: PASSWORDHASH-SANITIZED
HOWEVER, I can set up a profile in Apache Directory Sudio with the same user (uid=romanager,ou=Users,dc=domain,dc=com) as BindDN, WITH password, click "Check Authentication" and it passes the test, and connect/bind to the directory as that user.. but then it will only show me userPassword for the user I used for BindDN itself, and none else.
I can connect with ADS using the RootDN info as BindDN and see all info for every user, as expected.
Thank y'all for all of the help so far. It's really appreciated.
Even if I've made a couple of stupid goof mistakes.
Bill