Hello,
Running: 2.6.1
Looking at the slapd.conf man page we have this interesting paragraph:
bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. update_anon allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits).
My goal is to have a dn who is a memberof a group to be able to add/edit/deletes (write) operations to a subtree by only using the binddn (no password).
I have no issues with the below acl when we ldapmodify/delete/add with binddn+password
olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by * read
I added the below to my dn: cn=config
olcAllows: bind_anon_dn
olcAllows: update_anon
Since I still could not make any write operations with simple binddn I changed the ACL to below. (adding anonymous write)
olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by anonymous write by * read
This of course still was not my end goal since I could use a nonexisting binddn to make changes.
> ldapsearch -xLLL "filter" dn | awk '{print $NF}' | sed '/^$/d' | ldapdelete -D uid=someuserthatdoesnotexist,ou=people,dc=example,dc=net
So I'm guessing I'm not understanding or not configuring this correctly.
Is it even possible to do this?
Any input is appreciated.
Thank you,
Dave