[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Deny bind for subtree not working?
Hi
I try to deni BIND for all entries in a subtree. I compiled openldap with the LDAP backend, because this is only a proxy that forwards request to another directory.
Following is my configuration:
>include /local/home/hasleda4/openldap/etc/openldap/schema/core.schema
>include /local/home/hasleda4/openldap/etc/openldap/schema/cosine.schema
>include /local/home/hasleda4/openldap/etc/openldap/schema/inetorgperson.schema
>
>pidfile /local/home/hasleda4/openldap/var/run/gaad-slapd.pid
>argsfile /local/home/hasleda4/openldap/var/run/gaad-slapd.args
>
>database ldap
>suffix "dc=company,dc=com"
>uri "ldaps://other-dir.net:26930"
>
>access to dn.subtree="ou=people,ou=intranet,dc=company,dc=com" by dn.subtree="ou=applications,ou=intranet,dc=company,dc=com" read
> by * none
>access to dn.subtree="ou=applications,ou=intranet,dc=company,dc=com" by users read
> by anonymous auth
> by * none
>access to * by * read
As by the first ACL, anonymous users are not allowed to bind against "ou=people,ou=intranet,dc=novartis,dc=com".
If I now try to bind, the ACL seems not to be evaluated (I run slapd with -d 128 to see ACL processing, and there is no output during the BIND) and the BIND operation succeeds if I give the correct password.
Is this a bug? Or just how openldap behaves for bind operations?
Is there another way to deny bind operations for a subtree?
Thanks for any response.
Cheers
Dani