On Mon, Nov 21, 2016 at 12:45 PM, Quanah Gibson-Mount <[email protected]> wrote: > --On Monday, November 21, 2016 6:41 PM +0100 Michael Ströder > <[email protected]> wrote: > >> Matty wrote: >>> >>> I am testing some OpenLDAP ACLs and stumbled on a weird issue. My >>> configuration has the following ACL defined: >>> >>> access to * >>> by users read >>> by peername.ip=1.2.3.4 read >>> by * none >> >> ^^^^ >> You probably want "auth" in this last <who> clause. >> >> Ciao, Michael. >> > > or: > by anonymous auth > by * none > > may be closer.
That works as well but I'm still not real clear why running: $ ldapsearch -b 'dc=foo,dc=com' -x -h ldap1 -W -D 'uid=bingo,ou=users,dc=foo,dc=com' '(objectClass=*)' Results in an anonymous bind: Nov 16 09:50:02 tulip slapd[17803]: => acl_get: [2] attr userPassword Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: access to entry "uid=bingo,ou=users,dc=foo,dc=com", attr "userPassword" requested Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: to value by "", (=0) Does anyone happen to know why "acl_mask: to value by" shows "" instead of the dn of the user passed to the "-D" option? The suggestions above work but I am still curious why the anonymous bind is occurring. Thanks for the awesome feedback, - Ryan
