[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-ldap with an anonymous ACL not working



Hello,

I have an an OpenLDAP 2.2.26 running as a proxy with an `ldap' backend
configured. Everything works fine when attempting an authenticated bind,
but I cannot get the backend to deliver a simple attribute type (cn,usercertificate)
to me upon anonymous bind.

| database        ldap
| uri             "ldap://backendserver1/ ldap://backendserver2/";
| binddn          "cn=Proxy-Agent,dc=example,dc=com"
| bindpw          "secret"
| suffixmassage   "ou=People,o=NEW"  "ou=People,dc=example,dc=com"
| suffix          "ou=People,o=NEW"
| map             attribute "display-name" "displayname"
| map             attribute uid           *
| map             attribute cn            *
| map             attribute mail          *
| map             attribute usercertificate;binary *
| map             attribute *
| map             objectclass person      *
| map             objectclass inetorgperson       *
| map             objectclass *
| 
| access to dn.base="" by * read
| access to dn.base="cn=Subschema" by * read
| 
| access to attrs=userpassword
|         by anonymous auth
| 
|--- start problem
| access to dn.subtree="ou=People,O=NEW" attrs=cn,usercertificate
|         by anonymous read
|         by users read
|--- end  problem
| 
| access to *
|         by users read
|         by anonymous auth
| 

Could somebody kindly help me with what is probably a trivial
issue? I want anonymous binds to be able to retrieve the
binary userCertificate when they search for `mail=user@example.com'.

Thanks & regards,
	-JP