OpenLDAP ACLs are not working
- by Dr I
First things first, I'm currently working with an OpenLDAP: slapd 2.4.36 on a Fedora release 19 (Schrödinger’s Cat).
I've just install the openldap with yum and my configuration is the following one:
##### OpenLDAP Default configuration #####
#
##### OpenLDAP CORE CONFIGURATION #####
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/lib/ldap/slapd.pid
loglevel trace
##### Default Schema #####
database mdb
directory /var/lib/ldap/
maxsize 1073741824
suffix "dc=domain,dc=tld"
rootdn "cn=root,dc=domain,dc=tld"
rootpw {SSHA}SECRETP@SSWORD
##### Default ACL #####
access to attrs=userpassword
by self write
by group.exact="cn=administrators,ou=builtin,ou=groups,dc=domain,dc=tld" write
by anonymous auth
by * none
I launch my OpenLDAP service using:
/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// -f /etc/openldap/slapd.conf
As you can see it's a pretty simple ACL which aim to allow access to the userPassword attribute to a specific group read only, then to the owner read and write to anonymous requiring auth and refuse the access to everyone else.
The problem is: Even using a valid user with correct password my ldapsearch ends with zero informations retrieved from the directory, plus I've got a strange response on the result line.
# search result
search: 2
result: 32 No such object
# numResponses: 1
here is the ldapsearch request:
ldapsearch -H ldap.domain.tld -W -b dc=domain,dc=tld -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld
I did not specify any filter as I want to check that ldapsearch is correctly printing only allowed attribute.