--On Thursday, April 14, 2022 10:57 AM -0400 Dave Macias <[email protected]>
wrote:
bind_anon_cred allows anonymous bind when credentials are not empty (e.g.
when DN is empty).
In other words,
ldapsearch -x -H ldap:/// -w blah
An anonymous bind, but someone supplied a password. The password is
ignored.
bind_anon_dn allows unauthenticated
(anonymous) bind when DN is not empty.
Similar to the above, but when the DN is supplied (-D) but no password
(-w). An anonymous bind, the supplied DN is ignored.
update_anon allows
unauthenticated (anonymous) update operations to be processed (subject
to access controls and other administrative limits).
Allows anonymous users to issue write operations, subject to ACLs, etc.
My goal is to have a dn who is a memberof a group to be able to
add/edit/deletes (write) operations to a subtree by only using the binddn
(no password).
This of course still was not my end goal since I could use a nonexisting
binddn to make changes.
What you want is not possible with a simple bind (bind as a user without
providing a password). You could use something like client certificate
authentication (SASL/EXTERNAL).
Regards,
Quanah
