--On Wednesday, November 18, 2020 4:05 PM +0800 张连生 lianszhang@163.com wrote:
also tries following, not work either.
The ability to authenticate to LDAP requires "auth" privileges to the userPassword attribute (for simple binds, at least). Since any incoming connection has *not yet authenticated*, ALL simple binds start out as anonymous. Thus what you're asking is literally impossible, because it requires *post authentication knowledge*.
To do what you are asking, you need to do something more like:
access to filter=(accountstatus=active) attrs=userPassword by anonymous auth
This assumes you have an attribute in the entry named "accountstatus".
If you used standard LDAP groups (such as groupOfNames), and implemented "memberOf" capabilities, then you could do something like:
access to filter=(memberOf=cn=admin,ou=group,dc=migu,dc=com) attrs=userPassword by anonymous auth
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com