--On Thursday, April 14, 2022 10:57 AM -0400 Dave Macias davama@gmail.com wrote:
bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty).
In other words,
ldapsearch -x -H ldap:/// -w blah
An anonymous bind, but someone supplied a password. The password is ignored.
bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty.
Similar to the above, but when the DN is supplied (-D) but no password (-w). An anonymous bind, the supplied DN is ignored.
update_anon allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits).
Allows anonymous users to issue write operations, subject to ACLs, etc.
My goal is to have a dn who is a memberof a group to be able to add/edit/deletes (write) operations to a subtree by only using the binddn (no password).
This of course still was not my end goal since I could use a nonexisting binddn to make changes.
What you want is not possible with a simple bind (bind as a user without providing a password). You could use something like client certificate authentication (SASL/EXTERNAL).
Regards, Quanah