Home / server / Questions / 460367
Accepted
Sachin Divekar
Asked: 2012-12-23 20:40:18 +0800 CST

Why ldapsearch is not working with anonymous bind after upgrading OpenLDAP to v2.4?

  • 772

I have a setup of OpenLDAP v2.3 which I am using for last few years. Following are the lines in slapd.conf for access control.

access to dn.one="o=abc, c=IN"
        by * read

access to dn.base="o=abc, c=IN"
        by * none

When I do ldapsearch using anonymous bind gives me result.

For example following command gives result.

ldapsearch -x -h localhost -b "o=abc,c=IN"

Now I upgraded the OS, CentOS from 5.5 to 6.3 so the version of OpenLDAP is OpenLDAP v2.4. We have not changed the schema.

But now the same ldapsearch gives me result: 32 No such object error.

But it works when I added following line in access control configuration.

access to dn.one="o=abc, c=IN"
        by * read

access to dn.base="o=abc, c=IN"
        by anonymous read
        by * none

What can be the reason? Is there any security risk in doing so?

openldap

1 Answers

  1. Best Answer

    I posted the question on OpenLDAP mailing list and got the answer. Thanks to Pierangelo Masarati.

    In OpenLDAP v2.4, search operation requires "search" privileges on the "entry" pseudo-attribute of the search base which was not the case in v2.3.

    man slapd.access(5):

    [...]

    The search operation, requires search (=s) privileges on the entry pseudo-attribute of the searchBase (NOTE: this was introduced with OpenLDAP 2.4).

    [...]

    So I do not have to give read access to anonymous for base. Only search privilege is enough as following.

    access to dn.base="o=abc, c=IN"
            by anonymous search
            by * none

    I tested it successfully.

    • 1