Hello,
Running: 2.6.1
Looking at the slapd.conf man page we have this interesting paragraph:
*bind_anon_cred allows anonymous bind when credentials are not empty (e.g.
when DN is empty). bind_anon_dn allows unauthenticated (anonymous)
bind when DN is not empty. update_anon allows unauthenticated
(anonymous) update operations to be processed (subject to access controls
and other administrative limits).*
*My goal is to have a dn who is a memberof a group to be able to
add/edit/deletes (write) operations to a subtree by only using the binddn
(no password).*
I have no issues with the below acl when we ldapmodify/delete/add with
binddn+password
*olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net"
filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by
dn="cn=dnsmanager,dc=example,dc=net" write by
group.expand="cn=dns,ou=group,dc=example,dc=net" write by * read*
I added the below to my* dn: cn=config*
*olcAllows: bind_anon_dnolcAllows: update_anon*
Since I still could not make any write operations with simple binddn I
changed the ACL to below. (adding anonymous write)
olcAccess: {2}to dn.subtree="ou=dns,dc=example,dc=net"
filter="(!(|(idnsName=*'.')(objectClass=organizationalUnit)))" by
dn="cn=dnsmanager,dc=example,dc=net" write by
group.expand="cn=dns,ou=group,dc=example,dc=net" write by anonymous write
by * read
This of course still was not my end goal since I could use a nonexisting
binddn to make changes.
> ldapsearch -xLLL "filter" dn | awk '{print $NF}' | sed '/^$/d'
| ldapdelete -D uid=*someuserthatdoesnotexist*,ou=people,dc=example,dc=net
So I'm guessing I'm not understanding or not configuring this correctly.
Is it even possible to do this?
Any input is appreciated.
Thank you,
Dave
