Hi,
Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
does not return userPassword attributes (the -D is convenience, no auth is performed).
However,
ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
Does return userPassword - which is what I want. The UNIX domain socket is protected under a root directory mode 700 so only root can connect this way - ie, local root use has full unauthenticated access to ldap which is what I want, so that scripts may easily be run to maintain the LDAP database.
Thanks again for your help :)
Cheers,
Tim
####################################################################### # Global Directives:
# Features to permit #allow bind_v2
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values loglevel -1
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm
# The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1
allow bind_anon_cred bind_anon_dn update_anon
backend hdb #backend <other>
overlay rwm rwm-rewriteEngine on
####################################################################### # ACLs # access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by self write by * read
####################################################################### # Virtual maps # # map ou=staff,dc=cch to dc=dighum # database relay suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map ou=external,dc=cch to dc=dighum # #database relay #suffix "ou=external,dc=cch,dc=kcl,dc=ac,dc=uk" #relay "dc=dighum,dc=kcl,dc=ac,dc=uk" #overlay rwm #rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map ou=student,dc=cch to dc=dighum # #database relay #suffix "ou=student,dc=cch,dc=kcl,dc=ac,dc=uk" #relay "dc=dighum,dc=kcl,dc=ac,dc=uk" #overlay rwm #rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map ou=project,dc=cch to dc=dighum # #database relay #suffix "ou=project,dc=cch,dc=kcl,dc=ac,dc=uk" #relay "dc=dighum,dc=kcl,dc=ac,dc=uk" #overlay rwm #rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map dc=cch to dc=dighum # database relay suffix "dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
####################################################################### # Specific Directives for database dighum # database hdb suffix dc=dighum,dc=kcl,dc=ac,dc=uk rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" rootpw "e1NTSEF9TnkzOUx6aGZCRnQvOUIwQzZOeFIvcGtVcXRQWkZObXI=" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30
####################################################################### # Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): #database <other> #suffix "dc=debian,dc=org"