Hello,

Running: 2.6.1

Looking at the slapd.conf man page we have this interesting paragraph:

*bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. update_anon allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits).*

*My goal is to have a dn who is a memberof a group to be able to add/edit/deletes (write) operations to a subtree by only using the binddn (no password).* I have no issues with the below acl when we ldapmodify/delete/add with binddn+password

*olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by * read*

I added the below to my* dn: cn=config*

*olcAllows: bind_anon_dnolcAllows: update_anon*

Since I still could not make any write operations with simple binddn I changed the ACL to below. (adding anonymous write)

olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net" filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by dn="cn=dnsmanager,dc=example,dc=net" write by group.expand="cn=dns,ou=group,dc=example,dc=net" write by anonymous write by * read

This of course still was not my end goal since I could use a nonexisting binddn to make changes.

ldapsearch -xLLL "filter" dn | awk '{print $NF}' | sed '/^$/d'

| ldapdelete -D uid=*someuserthatdoesnotexist*,ou=people,dc=example,dc=net

So I'm guessing I'm not understanding or not configuring this correctly. Is it even possible to do this?

Any input is appreciated.

Thank you, Dave