Olivier, Thank you for your suggestion, it really helped. The problem is now solved.
My configuration looks like this now defaultsearchbase dc=mydomain,dc=org sortvals member memberUid roleOccupant access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn.regex="uid=myadmin,ou=people,dc=mydomain,dc=org" write by self write by anonymous auth by * none access to * by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx by self write by users read by anonymous auth by * none I have made some tests and so far it seems good. Myadmin is able to see everyone's password, a user can see his passwords but not other's people. Non authenticated users cannot do anything. I have noticed that I cannot add a comment line in the middle of an ACL and slapd won't start access to * by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx # by self write by users read But my version 2.4.26 is not the latest so this feature my have been implemented already. ----- Mail original ----- > De : Olivier Guillard <[email protected]> > À : Mik J <[email protected]> > Cc : > Envoyé le : Dimanche 30 septembre 2012 22h23 > Objet : Re: slapd ACLs > > Could you activate ACL debug level ? > > since I'm not very familiar with "dn.regex", you might need help > from > someone else anyway. > > --- > Olivier > > 2012/9/30 Mik J <[email protected]>: >> Thank you for your answer Olivier, I tried to do this but it didn't > work. The logs look like this >> >> conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" > method=128 >> conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" > mech=SIMPLE ssf=0 >> conn=1001 op=0 RESULT tag=97 err=0 text= >> conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" > scope=2 deref=0 filter="(objectClass=*)" >> conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= >> conn=1001 op=2 UNBIND >> >> I triple checked, and when it works, with the dn.subtree permission in the > begining of slapd.conf I have >> conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" > method=128 >> conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" > mech=SIMPLE ssf=0 >> conn=1000 op=0 RESULT tag=97 err=0 text= >> conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" > scope=2 deref=0 filter="(objectClass=*)" >> conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= >> conn=1000 op=2 UNBIND >> >> >> >> >> ----- Mail original ----- >>> De : Olivier <[email protected]> >>> À : Mik J <[email protected]> >>> Cc : >>> Envoyé le : Dimanche 30 septembre 2012 20h29 >>> Objet : Re: slapd ACLs >>> >>> T ry to put this rule : >>> >>>> access to dn.subtree="" >>>> by * read >>> >>> after the two others. >>> >>> (ionce a rule matches, then the scan stops : order counts) >>> >>> -- >>> Olivier >>> >>> 2012/9/30 Mik J <[email protected]>: >>>> Hello, >>>> >>>> I'm a bit confused with the ACLs in my slapd.conf considering > I have >>> this >>>> >>>> access to dn.subtree="" >>>> by * read >>>> >>>> access to >>> > attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword >>>> by > dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" >>> write >>>> by dn="uid=admin,ou=people,dc=mydomain,dc=org" > write >>>> by self write >>>> by anonymous auth >>>> by * none >>>> >>>> access to * >>>> by > dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" >>> =wrscx >>>> by self write >>>> by users read >>>> by anonymous auth >>>> by * none >>>> >>>> >>>> When I do a ldapsearch without authentication, I can see the > user's >>> details including the unencrypted password >>>> >>>> ldapsearch -x -b > "uid=user1,ou=people,dc=mydomain,dc=org" >>>> I think that it's because the rule access to > dn.subtree="" by >>> * read >>>> With an authenticated user is works as well >>>> >>>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b >>> "uid=user1,ou=people,dc=mydomain,dc=org" -W >>>> >>>> But if I comment these two lines >>>> #access to dn.subtree="" >>>> # by * read >>>> The search doesn't give me any result >>>> >>>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b >>> "uid=user1,ou=people,dc=mydomain,dc=org" -W >>>> # search result >>>> search: 2 >>>> result: 32 No such object >>>> # numResponses: 1 >>>> >>>> I would have expected that this command matched >>>> access to * >>>> by users read >>>> >>>> My goal is that only authenticated user would be able to access > the ldap >>> directory and users can change their passwords >>>> >>>> Does anyone has an idea on how to explain this behavior. ? >>>> >>>> Thank you >>>> >>> >> >
