[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs being ignored with rwm/relay



Tim Watts wrote:
Hi,

Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!

ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk
-b dc=cch,dc=kcl,dc=ac,dc=uk

does not return userPassword attributes (the -D is convenience, no auth
is performed).


However,

ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b
dc=cch,dc=kcl,dc=ac,dc=uk

Does return userPassword - which is what I want. The UNIX domain socket
is protected under a root directory mode 700 so only root can connect
this way - ie, local root use has full unauthenticated access to ldap
which is what I want, so that scripts may easily be run to maintain the
LDAP database.

The -D is meaningless in both cases. You're clearly using SASL Binds (using Simple binds would require a -x) and SASL Binds always ignore the Bind DN.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/