RSS feed

Re: Setting up authentication on a non-public LDAP directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Setting up authentication on a non-public LDAP directory

On Thu, 2011-06-02 at 14:35 +0200, Mathias wrote:
> In case someone else falls into this, I have found a workaround. I am
> not completely happy with it, but it does disable some anonymous
> requests to the LDAP directory.
> I changed my faulty LDAP ACL :
> before :
> to *
> by dn.base="cn=admin,dc=test,dc=net" write
> by dn.base="cn=reader,dc=test,dc=net" read
> by anonymous auth  *
> by * none
> after :
> to *  by dn.base="cn=admin,dc=massidia,dc=net" write
> by dn.base ="cn=reader,dc=massidia,dc=net" read
> by self write
> by anonymous auth
> by users read
> by * none

nslcd tries to do a search for the user's own entry after authentication
to see if the authentication actually succeeded (it doesn't need any
attributes, just the DN). This means that the user should have access to
their own DN. For password modification the user should also have write
access to the userPassword attribute.

Adding this in front of the above ACL should already work:

access to attrs=userPassword
  by anonymous auth
  by self write
  by * none

-- arthur - - --
To unsubscribe send an email to or see