Hello,

Running: 2.6.1

Looking at the slapd.conf man page we have this interesting paragraph:

bind_anon_cred allows anonymous bind when credentials are not empty (e.g.  when DN  is empty).   bind_anon_dn  allows  unauthenticated (anonymous) bind when  DN  is  not  empty.   update_anon  allows  unauthenticated (anonymous) update operations to be processed (subject to access controls and  other  administrative  limits).

My goal is to have a dn who is a memberof a group to be able to add/edit/deletes (write) operations to a subtree by only using the binddn (no password).

I have no issues with the below acl when we ldapmodify/delete/add with binddn+password

olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by * read

I added the below to my dn: cn=config

olcAllows: bind_anon_dn
olcAllows: update_anon


Since I still could not make any write operations with simple binddn I changed the ACL to below. (adding anonymous write)

olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by anonymous write by * read

This of course still was not my end goal since I could use a nonexisting binddn to make changes.

> ldapsearch -xLLL "filter" dn | awk '{print $NF}' | sed '/^$/d' | ldapdelete -D uid=someuserthatdoesnotexist,ou=people,dc=example,dc=net

So I'm guessing I'm not understanding or not configuring this correctly.
Is it even possible to do this?

Any input is appreciated.

Thank you,
Dave