Hi all, From ldapd.conf(5) (https://man.openbsd.org/ldapd.conf):
Each request to the ldapd(8) daemon evaluates the filter rules in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the request, the default action is to allow the request. The root DN is always allowed to perform any request.
This seems to be mostly true, what is missing is that "If no rule matches the request, the default action is to allow the request," is that this is limited to "read" (and "bind"?), but not "write".
I got scared when reading the man page, and tried to modify LDAP entries without having explicit allow rules for that, and that, luckily, failed.
Regards, François
