--On Tuesday, November 14, 2017 8:56 PM +0000 Kaya Saman kayasaman@gmail.com wrote:
access to * by ssf=128 self write by ssf=128 anonymous auth by ssf=128 users read
# Added ACL for open access to AddressBook in Read and Search only mode
access to dn.children="ou=AddressBook,dc=domain,dc=com" by * search by * read
Your second ACL will never be evaluated, since the first ACL matches everything. As noted in the slapd.access(5) man page, ACL processing stops on the first matching ACL.
In addition, in your second ACL, the "by * read" will never be processed, because of the match to "by * search". If you're already planning on granting read, there is no point to having by * search there at all.
I.e., your ACLs should be:
access to dn.children="ou=AddressBook,dc=domain,dc=com" by * read
access to * by ssf=128 self write by ssf=128 anonymous auth by ssf=128 users read
And I generally doubt you want to give users read to "*", as this means they can read the userPassword values of other users, etc.
You might want something more like:
access to dn.children="ou=AddressBook,dc=domain,dc=com" by * read
access to attrs=userPassword by ssf=128 anonymous auth by ssf=128 self write
access to * by ssf=128 self write by ssf=128 users read
And yes, you have to remove the global SSF setting if the phone cannot support startTLS on port 389.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 11/15/2017 04:18 PM, Quanah Gibson-Mount wrote:
access to dn.children="ou=AddressBook,dc=domain,dc=com" by * read
access to attrs=userPassword by ssf=128 anonymous auth by ssf=128 self write
access to * by ssf=128 self write by ssf=128 users read
Many Thanks. I installed this suggestion currently. I will keep reading and learning in the meantime :-) I mean at present the majority of slapd lookups are going through a RADIUS server but I will keep researching to integrate them better as there are a few PAM users also accessing slapd.
Regards,
Kaya
openldap-technical@openldap.org