[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: New guy needs some help choosing an overlay
It's hard to tell without seeing your whole configuration. Auth (by
simple bind) uses ACLs. In detail, it needs auth access to
userPassword. The ACL you show above should indeed prevent auth;
however, everybody would see the userPassword of everybody under that
tree (=r).
Here's the config file I'm currently playing with.
access to * by * none
database ldap
uri "ldap://ldap.isc.keele.ac.uk/";
suffix "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
rootdn "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
database relay
suffix "dc=webct,dc=kdir,dc=keele,dc=ac,dc=uk"
relay "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
overlay rwm
rwm-suffixmassage "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
If I've understood the manual correctly then this should stop all access
to the entire DIT.
I start slapd with:
/usr/local/ldap-proxy/libexec/slapd -d 128
@(#) $OpenLDAP: slapd 2.4.11 (Dec 18 2008 18:18:07) $
root@romeo.kis.keele.ac.uk:/var/sysdist/src/ldap/openldap-2.4.11/servers/slapd
Backend ACL: access to *
by * none
Backend ACL: access to *
by * none
config_back_db_open: line 0: warning: cannot assess the validity of the
ACL scope within backend naming context
slapd starting
I then run this command on the client:
ldapwhoami -x -h romeo.kis.keele.ac.uk -D
uniqueIdentifier=124E652A-4A4B-11DD-AF40-9CC5CB0AF2BD,dc=webct,dc=kdir,dc=keele,dc=ac,dc=uk
-W
Enter LDAP Password:
dn:uniqueIdentifier=124E652A-4A4B-11DD-AF40-9CC5CB0AF2BD,dc=people,dc=kdir,dc=keele,dc=ac,dc=uk
As you can see the BIND succeeds and the DN is returned. If I get the
password wrong, I get the invalid credentials error rather than the DN.
There is no debug output on the slapd server. Any attempt at an
ldapsearch will fail on the search and I get some ACL debug output, but
the initial bind always succeeds.
So how do I use an ACL to stop a bind?
Jon.