Re: ACLs whont work

[Dario Zanzico <dario@dariozanzico.com>]

On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote:
> Hi @all,
> 
> I struggle with the ACLs, I whant a special account to check the username
> and PW  of the entries on the LDAP-server.
> Therefore I’ve written the following in the slapd.conf file:
> 
> access to attrs=userPassword
> by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
> by self write
> by anonymous none
> 

this acl makes everyone able to write everything (except the password
that can be written by cn=authenticate and self),
and makes it impossible to bind not-anonimously

if you want users to be able to authenticate you shoud give 'anonymous'
users auth permissions to the userpassword attr:

access to attrs=userpassword
# allow connections to bind as user
  by anonymous auth
# allow self password change
  by self write
# allow cn=authenticate password change
  by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write

> access to *
> by * write
> by anonymous none
> 
> But I can’t authenticate to the LDAP server, does somebody know why?

this rule makes everyone able to modify/add anything to your directory
(except from the userpassword attribute, managed by the first rule)

> 
> 
> Greetings
> John

bye,
dario