Try to be a little more restrictive in your acls and remember that they are enforced top down.
http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure_acl.html
For instance mine look like:
access to *
by group=“cn=LDAPAdmins,ou=DSA,dc=,dc=com” write
by dn=“cn=replicator,ou=DSA,dc=,dc=com” write
by * none break
access to dn.base=""
by * read
access to dn.base=“cn=Subschema”
by * read
-
Sample security restrictions
-
Require integrity protection (prevent hijacking)
-
Require 112-bit (3DES or better) encryption for updates
-
Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=71 simple_bind=64
- users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPasswordHistory,userPKC S12
by dn=“cn=Manager,dc=,dc=com” write
by self write
by anonymous auth
by * none
- Not currently using Kerberos
#access to attrs=krb5PrincipalName
- by ssf=56 * read
#access to attrs=krb5Key
-
by dn=“cn=manager,dc=,dc=com” write
-
by * none
access to dn.subtree=“ou=Idmap,dc=,dc=com”
by dn=“cn=winbind,ou=DSA,dc=,dc=com” write
by * none
access to *
by * read
Not fully comprehensive, but it’'s enough for our network as it stands.
What error messages are you getting from ldapwhoami?
Rob