Hello,
I'm a bit confused with the ACLs in my slapd.conf considering I have this
access to dn.subtree="" by * read
access to attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword by dn.regex="uid=[^/]+/admin+(realm=MYDOMAIN.ORG)?" write by dn="uid=admin,ou=people,dc=mydomain,dc=org" write by self write by anonymous auth by * none
access to * by dn.regex="uid=[^/]+/admin+(realm=MYDOMAIN.ORG)?" =wrscx by self write by users read by anonymous auth by * none
When I do a ldapsearch without authentication, I can see the user's details including the unencrypted password
ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" I think that it's because the rule access to dn.subtree="" by * read With an authenticated user is works as well
ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W
But if I comment these two lines #access to dn.subtree="" # by * read The search doesn't give me any result
ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W # search result search: 2 result: 32 No such object # numResponses: 1
I would have expected that this command matched access to * by users read
My goal is that only authenticated user would be able to access the ldap directory and users can change their passwords
Does anyone has an idea on how to explain this behavior. ?
Thank you