Thank you for your answer Olivier, I tried to do this but it didn't work. The logs look like this
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128 conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0 conn=1001 op=0 RESULT tag=97 err=0 text= conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)" conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= conn=1001 op=2 UNBIND I triple checked, and when it works, with the dn.subtree permission in the begining of slapd.conf I have conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128 conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1000 op=2 UNBIND ----- Mail original ----- > De : Olivier <[email protected]> > À : Mik J <[email protected]> > Cc : > Envoyé le : Dimanche 30 septembre 2012 20h29 > Objet : Re: slapd ACLs > >T ry to put this rule : > >> access to dn.subtree="" >> by * read > > after the two others. > > (ionce a rule matches, then the scan stops : order counts) > > -- > Olivier > > 2012/9/30 Mik J <[email protected]>: >> Hello, >> >> I'm a bit confused with the ACLs in my slapd.conf considering I have > this >> >> access to dn.subtree="" >> by * read >> >> access to > attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword >> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" > write >> by dn="uid=admin,ou=people,dc=mydomain,dc=org" write >> by self write >> by anonymous auth >> by * none >> >> access to * >> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" > =wrscx >> by self write >> by users read >> by anonymous auth >> by * none >> >> >> When I do a ldapsearch without authentication, I can see the user's > details including the unencrypted password >> >> ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" >> I think that it's because the rule access to dn.subtree="" by > * read >> With an authenticated user is works as well >> >> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b > "uid=user1,ou=people,dc=mydomain,dc=org" -W >> >> But if I comment these two lines >> #access to dn.subtree="" >> # by * read >> The search doesn't give me any result >> >> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b > "uid=user1,ou=people,dc=mydomain,dc=org" -W >> # search result >> search: 2 >> result: 32 No such object >> # numResponses: 1 >> >> I would have expected that this command matched >> access to * >> by users read >> >> My goal is that only authenticated user would be able to access the ldap > directory and users can change their passwords >> >> Does anyone has an idea on how to explain this behavior. ? >> >> Thank you >> >
