Hello,
I am trying to set up anonymous binding where systems can only see certain objects and subtrees. In addition, I want to have limits on the attributes that can be seen on those objects.
Below is my config file but so far only the manager CN can bind. What else do I need to do?
Thanks.
slapd.conf:
-------------------------------------------------------------------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sendmail.schema
include /etc/openldap/schema/postfix.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral
ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib64/openldap/openldap
# moduleload back_sock.so
# moduleload back_shell.so
# moduleload back_relay.so
# moduleload back_perl.so
# moduleload back_passwd.so
# moduleload back_null.so
# moduleload back_monitor.so
# moduleload back_meta.so
# moduleload back_ldap.so
# moduleload back_dnssrv.so
moduleload back_hdb.so
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
#
###################################################
#
# ---
#
# Directory Service Access Policy
#
###################################################
#
# Allow folks to read basic attributes from everyone
access to dn.subtree="dc=domain,dc=com" attr=displayName,givenName,employeeNumber,mail
by anonymous read
#
###################################################
#
# End Security Setup.
#
###################################################
#
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=domain,dc=com"
# <kbyte> <min>
checkpoint 32 30
rootdn "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw ---
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
-------------------------------------------------------------------------
Regards,
Christopher Koeber