I am testing some OpenLDAP ACLs and stumbled on a weird issue. My configuration has the following ACL defined:

access to * by users read by peername.ip=1.2.3.4 read by * none

When I run the following ldapsearch I get an "Invalid credentials (49)" error:

$ ldapsearch -b 'dc=foo,dc=com' -x -h ldap1 -W -D 'uid=bingo,ou=users,dc=foo,dc=com' '(objectClass=*)'

Enabling the ACL loglevel produces the following:

Nov 16 09:50:02 tulip slapd[17803]: conn=33003 op=0 BIND dn="uid=bingo,ou=users,dc=foo,dc=com" method=128 Nov 16 09:50:02 tulip slapd[17803]: => acl_get: [2] attr userPassword Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: access to entry "uid=bingo,ou=users,dc=foo,dc=com", attr "userPassword" requested Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: to value by "", (=0) Nov 16 09:50:02 tulip slapd[17803]: <= check a_dn_pat: users Nov 16 09:42:24 tulip slapd[17803]: <= check a_peername_path: 1.2.3.4 Nov 16 09:42:24 tulip slapd[17803]: <= check a_dn_pat: * Nov 16 09:42:24 tulip slapd[17803]: <= acl_mask: [5] applying none(=0) (stop) Nov 16 09:42:24 tulip slapd[17803]: <= acl_mask: [5] mask: none(=0) Nov 16 09:42:24 tulip slapd[17803]: => slap_access_allowed: auth access denied by none(=0) Nov 16 09:42:24 tulip slapd[17803]: => access_allowed: no more rules

Does anyone happen to know why "acl_mask: to value by" shows "" instead of the dn of the user passed to the "-D" option? Wireshark shows the binddn and password being passed to the directory server so the "" doesn't make a ton of sense. If I add the following ACL to force anonymous users to auth the search completes without issue:

access to attrs=userPassword by self write by anonymous auth by users none

There must be some subtle item I'm missing here.

Thanks, - Ryan