First things first, I'm currently working with an OpenLDAP: slapd 2.4.36 on a Fedora release 19 (Schrödinger’s Cat).
I've just install the openldap with yum and my configuration is the following one:
##### OpenLDAP Default configuration #####
#
##### OpenLDAP CORE CONFIGURATION #####
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/lib/ldap/slapd.pid
loglevel trace
##### Default Schema #####
database mdb
directory /var/lib/ldap/
maxsize 1073741824
suffix "dc=domain,dc=tld"
rootdn "cn=root,dc=domain,dc=tld"
rootpw {SSHA}SECRETP@SSWORD
##### Default ACL #####
access to attrs=userpassword
by self write
by group.exact="cn=administrators,ou=builtin,ou=groups,dc=domain,dc=tld" write
by anonymous auth
by * none
I launch my OpenLDAP service using:
/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// -f /etc/openldap/slapd.conf
As you can see it's a pretty simple ACL which aim to allow access to the userPassword attribute to a specific group read only, then to the owner read and write to anonymous requiring auth and refuse the access to everyone else.
The problem is: Even using a valid user with correct password my ldapsearch ends with zero informations retrieved from the directory, plus I've got a strange response on the result line.
# search result
search: 2
result: 32 No such object
# numResponses: 1
here is the ldapsearch request:
ldapsearch -H ldap.domain.tld -W -b dc=domain,dc=tld -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld
I did not specify any filter as I want to check that ldapsearch is correctly printing only allowed attribute.
@SvW here is what I've put on my slapd.conf according to your exemple and OpenLDAP Documentation:
I edited my slapd.conf with the following ACLs rules eliminating group.exact for easier debug:
access to *
by self read
by anonymous auth
by * none
access to attrs=userpassword
by self write
by anonymous auth
by * none
but once again, I'm facing the
32 No Such object error
when I'm trying the following ldapsearches:
ldapsearch -W -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld -b dc=domain,dc=tld userpassword=*
or without filter:
ldapsearch -W -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld -b dc=domain,dc=tld
Best Answer
To test, try to add
after the first ACL entry.
This should still restrict the
userpassword
but explicitly allow you to read all other fields (I believe OpenLDAP adds implicitlyto * by * none
otherwise, see section 8.3.4 of the documentation).Edit:
Does it restrict the password field? This is not very clear from your comment. If not, remember @Janne's answer and check if the spelling for
userPassword
is correct. If it is working, you'll have to start from there to add restrictions. The following is untested, but should work (it might be too restrictive though).