Here are my default olcAccess settings after installation:
don't put samba stuff here, just focus on one application's access.
olcAccess: {10} to * by * read
However, I am not satisfied with these settings because using the anonymous user, anyone can browse the entire LDAP tree. While passwords are not visible with anonymous login, user data in the LDAP domain is exposed.
Is this the default when you install? Pretty terrible still, no wonder everyones data is everywhere. So make sure you firewall your ldap.
But indeed, you should work the other way around start with something no one can access
olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none olcAccess: {3} to * by * none
check also these ssf=256, otherwise your data can go over plain connections.
Then test if you can authenticate only over ssl with your ldap entries. Make sure your commandlines work first, does not make sense to look at dovecot at this stage.
ldapsearch -W -s sub -b "uid=test,dc=local" -D "uid=test,dc=local" -H ldap://ldap.local:389/
make sure to increase logging so you can see what dovecot is trying to query on the ldap. Create ldifs to increase/decrease logging and update your acls like this.
ldapadd -D "cn=admin,cn=config" -W -H ldapi:/// -f /home/scripts/inclogging.ldif
If I change the last olcAccess entry from "olcAccess: {10} to * by * read" to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot browse LDAP, but the mail client user also cannot log in.
If you are not doing this acl stuf to often, it is really annoying
What should be the correct configuration?
Can't remember exactly, this is what I have from trying to create a stateless container with docker. It also depends on your use case. I can't really remember why I have the auth_bind = no, I think it was related to reducing the amount of queries to ldap.