On Tue, Feb 15, 2011 at 3:20 PM, Andrew Findlay < [email protected]> wrote:
> On Tue, Feb 15, 2011 at 02:52:19PM -0200, Leonardo Carneiro wrote: > > > ####################################################################### > > # Specific Directives for database #1, of type bdb: > > # Database specific directives apply to this databasse until another > > # 'database' directive occurs > > database bdb > > > > # The base of your directory in database #1 > > suffix dc=dominio,dc=com,dc=br > > OK so far, but this is your complete set of ACLs: > > > # The userPassword by default can be changed > > # by the entry owning it if they are authenticated. > > # Others should not be able to see it, except the > > # admin entry below > > # These access lines apply to database #1 only > > #access to * by anonymous read > > # by dn="cn=root,dc=dominio,dc=com,dc=br" write > > # by anonymous auth > > # by self write > > # by * none > > > > > > # Ensure read access to the base for things like > > # supportedSASLMechanisms. Without this you may > > # have problems with SASL not knowing what > > # mechanisms are available and the like. > > # Note that this is covered by the 'access to *' > > # ACL below too but if you change that as people > > # are wont to do you'll still need this if you > > # want SASL (and possible other things) to work > > # happily. > > access to dn.base="" by * read > > > > ######### this last entry was commented. i uncommented to check if would > > change anything, but it haven't. > > > > # The admin dn has full write access, everyone else > > # can read everything. > > #access to * > > # by dn="cn=admin,dc=nodomain" write > > # by * read > > > > # For Netscape Roaming support, each user gets a roaming > > # profile for which they have write access to > > #access to dn=".*,ou=Roaming,o=morsnet" > > # by dn="cn=admin,dc=nodomain" write > > # by dnattr=owner write > > ... so all you have is anon access to the null DN. > > The commented-out userPassword clause is getting close, but > does not actually control userPassword... > > I suggest you add this after the 'access to dn.base="" by * read' line: > > access to attrs="userPassword" > by self =w > by * auth > > access to * by * read > > > Andrew > -- > ----------------------------------------------------------------------- > | From Andrew Findlay, Skills 1st Ltd | > | Consultant in large-scale systems, networks, and directory services | > | http://www.skills-1st.co.uk/ +44 1628 782565 | > ----------------------------------------------------------------------- > (reply to all now) Hmm, still did not worked. If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the password, the search goes ok. if i do not specify, is asks me for a sasl/md5 authentication and fails, and just asks for a password. if i include a '-x' parameter, also does not work: chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)' -LLL -x ldap_initialize( ldap://192.168.0.2 ) filter: (objectclass=*) requesting: All userApplication attributes No such object (32)
