I've recently been trying to lock down Samba4's default ACLs, in it's
generated LDAP backend configuration.
I have memberOf configured to 'error' on dangling links, which I need
for Samba.
But I seem to be having some trouble with ACLs. I've attached my full
config file, but the key part is:
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read
access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="${DOMAINDN}"
by dn=cn=samba-admin,cn=samba manage
by * none
If I change the last line to 'by * read', then the error is returned,
but otherwise (due apparently to "" being unable to read the entry to
validate it's existence).
Shouldn't the search operations happen as the rootdn or memberof-dn, or
am I missing some other configuration element here?