Olivier,
Thank you for your suggestion, it really helped. The problem is now solved.
My configuration looks like this now defaultsearchbase dc=mydomain,dc=org
sortvals member memberUid roleOccupant
access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn.regex="uid=myadmin,ou=people,dc=mydomain,dc=org" write by self write by anonymous auth by * none
access to * by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx by self write by users read by anonymous auth by * none
I have made some tests and so far it seems good. Myadmin is able to see everyone's password, a user can see his passwords but not other's people. Non authenticated users cannot do anything.
I have noticed that I cannot add a comment line in the middle of an ACL and slapd won't start
access to * by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx # by self write by users read
But my version 2.4.26 is not the latest so this feature my have been implemented already.
----- Mail original -----
De : Olivier Guillard olivier@guillard.nom.fr À : Mik J mikydevel@yahoo.fr Cc : Envoyé le : Dimanche 30 septembre 2012 22h23 Objet : Re: slapd ACLs
Could you activate ACL debug level ?
since I'm not very familiar with "dn.regex", you might need help from someone else anyway.
Olivier
2012/9/30 Mik J mikydevel@yahoo.fr:
Thank you for your answer Olivier, I tried to do this but it didn't
work. The logs look like this
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
method=128
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
mech=SIMPLE ssf=0
conn=1001 op=0 RESULT tag=97 err=0 text= conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org"
scope=2 deref=0 filter="(objectClass=*)"
conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= conn=1001 op=2 UNBIND
I triple checked, and when it works, with the dn.subtree permission in the
begining of slapd.conf I have
conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
method=128
conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org"
scope=2 deref=0 filter="(objectClass=*)"
conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1000 op=2 UNBIND
----- Mail original -----
De : Olivier ldap@guillard.nom.fr À : Mik J mikydevel@yahoo.fr Cc : Envoyé le : Dimanche 30 septembre 2012 20h29 Objet : Re: slapd ACLs
T ry to put this rule :
access to dn.subtree="" by * read
after the two others.
(ionce a rule matches, then the scan stops : order counts)
-- Olivier
2012/9/30 Mik J mikydevel@yahoo.fr:
Hello,
I'm a bit confused with the ACLs in my slapd.conf considering
I have
this
access to dn.subtree="" by * read
access to
attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
by
dn.regex="uid=[^/]+/admin+(realm=MYDOMAIN.ORG)?"
write
by dn="uid=admin,ou=people,dc=mydomain,dc=org"
write
by self write by anonymous auth by * none
access to * by
dn.regex="uid=[^/]+/admin+(realm=MYDOMAIN.ORG)?"
=wrscx
by self write by users read by anonymous auth by * none
When I do a ldapsearch without authentication, I can see the
user's
details including the unencrypted password
ldapsearch -x -b
"uid=user1,ou=people,dc=mydomain,dc=org"
I think that it's because the rule access to
dn.subtree="" by
- read
With an authenticated user is works as well
ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
"uid=user1,ou=people,dc=mydomain,dc=org" -W
But if I comment these two lines #access to dn.subtree="" # by * read The search doesn't give me any result
ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
"uid=user1,ou=people,dc=mydomain,dc=org" -W
# search result search: 2 result: 32 No such object # numResponses: 1
I would have expected that this command matched access to * by users read
My goal is that only authenticated user would be able to access
the ldap
directory and users can change their passwords
Does anyone has an idea on how to explain this behavior. ?
Thank you