A few e-mails that all boil down to the same issue, hopefully also the same answer. E-mail 1: """ Once setting up ACLs, there is something missing in the howto. Do I have to put a binddn or rootdn inside the ldap.conf? """ and, after asking what binddn/rootdn does: """well I tried the following. When setting ACLs so that you can not read anonymously, you have to supply some binddn and bindpasswd. This is because there are two connections maid upon a auth request. One tries to find the specified DN. The next authenticates against the directory. So for the first you have to supply a binddn since the search will not return anything if not. And so the second (auth) request will fail. The binddn is a regular DN that must exist in the directory. The rootdn is used to represent the root DN (uid=root) inside the DN. This is needed if the binddn only has read access (for the lookups) but you want to write with a certain account (rootdn). So, to make a long answer short, if you disallow reading for anonymous, then you have to bind to the directory to authenticate successfully. """ Second e-mail: """ I successfully setup my OpenLDAP server using your guide. But there seems to be something wrong with the ACLs in code listing 4.5 though, with them I can login but get /bin/whoami: cannot find username for UID 500 I took out the ACLs provided and everything seems to work fine. Does that create a security problem for me? """
After lots of investigation, I have to say I don't think it's needed. When binddn isn't set, it uses an anonymous connection to the ldap server. All ACLs allow anonymous connections to authenticate. The issue is that, running whoami, will do an anonymous query for the username, and this is indeed disallowed by the ACL, but that's the admin's decision. If he wants to allow this query'ing, use access to attrs=uid,uidNumber,gidNumber by anonymous read
