De : Olivier <ldap(a)guillard.nom.fr&gt; À : Mik J <mikydevel(a)yahoo.fr&gt; Cc : Envoyé le : Dimanche 30 septembre 2012 20h29 Objet : Re: slapd ACLs T ry to put this rule : > access to dn.subtree="" >         by * read after the two others. (ionce a rule matches, then the scan stops : order counts) -- Olivier 2012/9/30 Mik J <mikydevel(a)yahoo.fr&gt;: > Hello, > > I'm a bit confused with the ACLs in my slapd.conf considering I have this > > access to dn.subtree="" >         by * read > > access to attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword >         by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" write >         by dn="uid=admin,ou=people,dc=mydomain,dc=org" write >         by self write >         by anonymous auth >         by * none > > access to * >         by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" =wrscx >         by self write >         by users read >         by anonymous auth >         by * none > > > When I do a ldapsearch without authentication, I can see the user's details including the unencrypted password > > ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" > I think that it's because the rule access to dn.subtree="" by * read > With an authenticated user is works as well > > ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W > > But if I comment these two lines > #access to dn.subtree="" > #        by * read > The search doesn't give me any result > > ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W > # search result > search: 2 > result: 32 No such object > # numResponses: 1 > > I would have expected that this command matched > access to * >         by users read > > My goal is that only authenticated user would be able to access the ldap directory and users can change their passwords > > Does anyone has an idea on how to explain this behavior. ? > > Thank you >