--On Wednesday, November 18, 2020 4:05 PM +0800 张连生
<[email protected]> wrote:
also tries following, not work either.
The ability to authenticate to LDAP requires "auth" privileges to the
userPassword attribute (for simple binds, at least). Since any incoming
connection has *not yet authenticated*, ALL simple binds start out as
anonymous. Thus what you're asking is literally impossible, because it
requires *post authentication knowledge*.
To do what you are asking, you need to do something more like:
access to filter=(accountstatus=active) attrs=userPassword
by anonymous auth
This assumes you have an attribute in the entry named "accountstatus".
If you used standard LDAP groups (such as groupOfNames), and implemented
"memberOf" capabilities, then you could do something like:
access to filter=(memberOf=cn=admin,ou=group,dc=migu,dc=com)
attrs=userPassword
by anonymous auth
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
