De : Olivier Guillard <olivier(a)guillard.nom.fr&gt; À : Mik J <mikydevel(a)yahoo.fr&gt; Cc : Envoyé le : Dimanche 30 septembre 2012 22h23 Objet : Re: slapd ACLs Could you activate ACL debug level ? since I'm not very familiar with "dn.regex", you might need help from someone else anyway. --- Olivier 2012/9/30 Mik J <mikydevel(a)yahoo.fr&gt;: > Thank you for your answer Olivier, I tried to do this but it didn't work. The logs look like this > > conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128 > conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0 > conn=1001 op=0 RESULT tag=97 err=0 text= > conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)" > conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= > conn=1001 op=2 UNBIND > > I triple checked, and when it works, with the dn.subtree permission in the begining of slapd.conf I have > conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128 > conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0 > conn=1000 op=0 RESULT tag=97 err=0 text= > conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)" > conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > conn=1000 op=2 UNBIND > > > > > ----- Mail original ----- >> De : Olivier <ldap(a)guillard.nom.fr&gt; >> À : Mik J <mikydevel(a)yahoo.fr&gt; >> Cc : >> Envoyé le : Dimanche 30 septembre 2012 20h29 >> Objet : Re: slapd ACLs >> >> T ry to put this rule : >> >>>   access to dn.subtree="" >>>           by * read >> >> after the two others. >> >> (ionce a rule matches, then the scan stops : order counts) >> >> -- >> Olivier >> >> 2012/9/30 Mik J <mikydevel(a)yahoo.fr&gt;: >>>   Hello, >>> >>>   I'm a bit confused with the ACLs in my slapd.conf considering I have >> this >>> >>>   access to dn.subtree="" >>>           by * read >>> >>>   access to >> attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword >>>           by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" >> write >>>           by dn="uid=admin,ou=people,dc=mydomain,dc=org" write >>>           by self write >>>           by anonymous auth >>>           by * none >>> >>>   access to * >>>           by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" >> =wrscx >>>           by self write >>>           by users read >>>           by anonymous auth >>>         by * none >>> >>> >>>   When I do a ldapsearch without authentication, I can see the user's >> details including the unencrypted password >>> >>>   ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" >>>   I think that it's because the rule access to dn.subtree="" by >> * read >>>   With an authenticated user is works as well >>> >>>   ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b >> "uid=user1,ou=people,dc=mydomain,dc=org" -W >>> >>>   But if I comment these two lines >>>   #access to dn.subtree="" >>>   #        by * read >>>   The search doesn't give me any result >>> >>>   ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b >> "uid=user1,ou=people,dc=mydomain,dc=org" -W >>>   # search result >>>   search: 2 >>>   result: 32 No such object >>>   # numResponses: 1 >>> >>>   I would have expected that this command matched >>>   access to * >>>           by users read >>> >>>   My goal is that only authenticated user would be able to access the ldap >> directory and users can change their passwords >>> >>>   Does anyone has an idea on how to explain this behavior. ? >>> >>>   Thank you >>> >> >