Hello,
Running: 2.6.1
Looking at the slapd.conf man page we have this interesting paragraph:
*bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. update_anon allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits).*
*My goal is to have a dn who is a memberof a group to be able to add/edit/deletes (write) operations to a subtree by only using the binddn (no password).* I have no issues with the below acl when we ldapmodify/delete/add with binddn+password
*olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by * read*
I added the below to my* dn: cn=config*
*olcAllows: bind_anon_dnolcAllows: update_anon*
Since I still could not make any write operations with simple binddn I changed the ACL to below. (adding anonymous write)
olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by anonymous write by * read
This of course still was not my end goal since I could use a nonexisting binddn to make changes.
ldapsearch -xLLL "filter" dn | awk '{print $NF}' | sed '/^$/d'
| ldapdelete -D uid=*someuserthatdoesnotexist*,ou=people,dc=example,dc=net
So I'm guessing I'm not understanding or not configuring this correctly. Is it even possible to do this?
Any input is appreciated.
Thank you, Dave