Why ldapsearch is not working with anonymous bind after upgrading OpenLDAP to v2.4

openldap

I have a setup of OpenLDAP v2.3 which I am using for last few years. Following are the lines in slapd.conf for access control.

access to dn.one="o=abc, c=IN"
        by * read

access to dn.base="o=abc, c=IN"
        by * none

When I do ldapsearch using anonymous bind gives me result.

For example following command gives result.

ldapsearch -x -h localhost -b "o=abc,c=IN"

Now I upgraded the OS, CentOS from 5.5 to 6.3 so the version of OpenLDAP is OpenLDAP v2.4. We have not changed the schema.

But now the same ldapsearch gives me result: 32 No such object error.

But it works when I added following line in access control configuration.

access to dn.one="o=abc, c=IN"
        by * read

access to dn.base="o=abc, c=IN"
        by anonymous read
        by * none

What can be the reason? Is there any security risk in doing so?

Best Answer

I posted the question on OpenLDAP mailing list and got the answer. Thanks to Pierangelo Masarati.

In OpenLDAP v2.4, search operation requires "search" privileges on the "entry" pseudo-attribute of the search base which was not the case in v2.3.

man slapd.access(5):

[...]

The search operation, requires search (=s) privileges on the entry pseudo-attribute of the searchBase (NOTE: this was introduced with OpenLDAP 2.4).

[...]

So I do not have to give read access to anonymous for base. Only search privilege is enough as following.

access to dn.base="o=abc, c=IN"
            by anonymous search
            by * none

I tested it successfully.

Related Topic