Dear Pierangelo,
Thanks a lot for the reply. It is explaining the cause of the problem.
I did read the man page for slapd.access but missed this particular
bit.
So I do not have to give read access to anonymous for base. only
search is enough as following.
access to dn.base="o=abc, c=IN"
by anonymous search
by * none
I tested it successfully.
--
Regards,
Sachin Divekar
On Sun, Dec 23, 2012 at 1:08 PM, Pierangelo Masarati <
[email protected]> wrote:
>
> > Dear all,
> >
> > I have a setup of **OpenLDAP v2.3** which I am using for last few years.
> > Following are the lines in `slapd.conf` for access control.
> >
> > access to dn.one="o=abc, c=IN"
> > by * read
> >
> > access to dn.base="o=abc, c=IN"
> > by * none
> >
> > When I do ldapsearch using anonymous bind gives me result.
> >
> > For example following command gives result.
> >
> > ldapsearch -x -h localhost -b "o=abc,c=IN"
> >
> > Now I upgraded the OS, CentOS from 5.5 to 6.3 so the version of OpenLDAP
> > is
> > **OpenLDAP v2.4**. We have not changed the schema.
> >
> > But now the same `ldapsearch` gives me `result: 32 No such object` error.
> >
> > But it works when I added following line in access control configuration.
> >
> > access to dn.one="o=abc, c=IN"
> > by * read
> >
> > access to dn.base="o=abc, c=IN"
> > by anonymous read
> > by * none
> >
> >
> > What can be the reason? Is there any security risk in doing so?
>
> man slapd.access(5):
>
> [...]
>
> The search operation, requires search (=s) privileges on the entry
> pseudo-attribute of the searchBase (NOTE: this was introduced with
> OpenLDAP 2.4).
>
> [...]
>
> p.
>
>
> >
> > Thank you.
> >
> > --
> > Regards,
> > Sachin Divekar
> >
>
>
> --
> Pierangelo Masarati
> Associate Professor
> Dipartimento di Ingegneria Aerospaziale
> Politecnico di Milano
>
>
