OpenLDAP ACLs are not working

Posted by Dr I on Server Fault See other posts from Server Fault or by Dr I
Published on 2014-06-02T07:57:32Z Indexed on 2014/06/02 9:31 UTC
Read the original article Hit count: 275

Filed under:
|
|

First things first, I'm currently working with an OpenLDAP: slapd 2.4.36 on a Fedora release 19 (Schrödinger’s Cat).

I've just install the openldap with yum and my configuration is the following one:

##### OpenLDAP Default configuration #####
#
##### OpenLDAP CORE CONFIGURATION #####
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/lib/ldap/slapd.pid

loglevel trace

##### Default Schema #####

database mdb
directory /var/lib/ldap/
maxsize 1073741824

suffix "dc=domain,dc=tld"
rootdn "cn=root,dc=domain,dc=tld"
rootpw {SSHA}SECRETP@SSWORD


##### Default ACL #####
access to attrs=userpassword
        by self write
        by group.exact="cn=administrators,ou=builtin,ou=groups,dc=domain,dc=tld" write
        by anonymous auth
        by * none

I launch my OpenLDAP service using:

/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// -f /etc/openldap/slapd.conf

As you can see it's a pretty simple ACL which aim to allow access to the userPassword attribute to a specific group read only, then to the owner read and write to anonymous requiring auth and refuse the access to everyone else.

The problem is: Even using a valid user with correct password my ldapsearch ends with zero informations retrieved from the directory, plus I've got a strange response on the result line.

# search result
search: 2
result: 32 No such object

# numResponses: 1

here is the ldapsearch request:

ldapsearch -H ldap.domain.tld -W -b dc=domain,dc=tld -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld 

I did not specify any filter as I want to check that ldapsearch is correctly printing only allowed attribute.

© Server Fault or respective owner

Related posts about linux

Related posts about fedora