Dear Users,
for research purposes i have installed a RHEL6 system to test the new OLC feature.
I only have the cn=config DIT available.
The ACLS are:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (olcAccess=*)
# requesting: olcAccess
#
# {0}config, config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=my-domain,dc=com" read by * none
so it looks like only UID=0 (root) should be able to interoperate with the directory. However all local users can connect but do not have access to cn=config (this is expected).
[user@host ~]$ ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config'
SASL/EXTERNAL authentication started
SASL username: gidNumber=501+uidNumber=501,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
So why am i even able to logon and state a query?
Regards,