I’ve managed to find a solution.
Here’s the background:
/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif defines the underlying ldap storage database and ACL.
The default .ldif has 3 “olcAccess” lines:
olcAccess: {0}to attrs=sambaNTPassword by dn.exact="gidNumber=0+uidNumber=0,cn
=peercred,cn=external,cn=auth" manage by dn.exact="cn=samba,dc=directory,dc=n
h" peername.ip="127.0.0.1" write by self write by * none
olcAccess:: ezF9dG8gYXR0cnM9dXNlclBhc3N3b3JkIGJ5IGRuLmV4YWN0PSJnaWROdW1iZXI9MC
t1aWROdW1iZXI9MCxjbj1wZWVyY3JlZCxjbj1leHRlcm5hbCxjbj1hdXRoIiBtYW5hZ2UgYnkgZG4
uZXhhY3Q9ImNuPXBhbSxkYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLnBhdGg9Ii92YXIvcnVu
L2xkYXBpIiB3cml0ZSBieSBkbi5leGFjdD0iY249bGlidXNlcixkYz1kaXJlY3RvcnksZGM9bmgiI
HBlZXJuYW1lLmlwPSIxMjcuMC4wLjEiIHdyaXRlIGJ5IGFub255bW91cyBhdXRoIGJ5IHNlbGYgd3
JpdGUgYnkgKiBub25lIA==
olcAccess:: ezJ9dG8gKiBieSBkbi5leGFjdD0iZ2lkTnVtYmVyPTArdWlkTnVtYmVyPTAsY249cG
VlcmNyZWQsY249ZXh0ZXJuYWwsY249YXV0aCIgbWFuYWdlIGJ5IGRuLmV4YWN0PSJjbj1zYW1iYSx
kYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLmlwPSIxMjcuMC4wLjEiIHdyaXRlIGJ5IGRuLmV4
YWN0PSJjbj1wYW0sZGM9ZGlyZWN0b3J5LGRjPW5oIiBwZWVybmFtZS5wYXRoPSIvdmFyL3J1bi9sZ
GFwaSIgd3JpdGUgYnkgZG4uZXhhY3Q9ImNuPWxpYnVzZXIsZGM9ZGlyZWN0b3J5LGRjPW5oIiBwZW
VybmFtZS5pcD0iMTI3LjAuMC4xIiB3cml0ZSBieSB1c2VycyBzc2Y9NzEgcmVhZCBieSAqIG5vbmU
g
The 2nd and 3rd statements are base63 encoded, here’s the cleaned out version:
olcAccess: {0}to attrs=sambaNTPassword
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=samba,dc=directory,dc=nh" peername.ip="127.0.0.1" write
by self write
by * none
olcAccess:: {1}to attrs=userPassword
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=pam,dc=directory,dc=nh" peername.path="/var/run/ldapi" write
by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write
by anonymous auth
by self write
by * none
olcAccess:: {2}to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=samba,dc=directory,dc=nh" peername.ip="127.0.0.1" write
by dn.exact="cn=pam,dc=directory,dc=nh" peername.path="/var/run/ldapi" write
by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write
by users ssf=71 read
by * none
I so created a new LDIF with these modifications:
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
by self write
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=samba,dc=directory,dc=nh" peername.ip="127.0.0.1" write
by dn.exact="cn=pam,dc=directory,dc=nh" peername.path="/var/run/ldapi" write
by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write
by users ssf=71 read
by * read
And this is the resulting LDIF
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=sambaNTPassword by dn.exact="gidNumber=0+uidNumber=0,cn
=peercred,cn=external,cn=auth" manage by dn.exact="cn=samba,dc=directory,dc=n
h" peername.ip="127.0.0.1" write by self write by * none
olcAccess:: ezF9dG8gYXR0cnM9dXNlclBhc3N3b3JkIA0KIGJ5IGRuLmV4YWN0PSJnaWROdW1iZXI9MCt1aWROdW1iZXI9MCxjbj1wZWVyY3JlZCxjbj1leHRlcm5hbCxjbj1hdXRoIiBtYW5hZ2UNCiBieSBkbi5leGFjdD0iY249cGFtLGRjPWRpcmVjdG9yeSxkYz1uaCIgcGVlcm5hbWUucGF0aD0iL3Zhci9ydW4vbGRhcGkiIHdyaXRlIA0KIGJ5IGRuLmV4YWN0PSJjbj1saWJ1c2VyLGRjPWRpcmVjdG9yeSxkYz1uaCIgcGVlcm5hbWUuaXA9IjEyNy4wLjAuMSIgd3JpdGUNCiBieSBhbm9ueW1vdXMgYXV0aCANCiBieSBzZWxmIHdyaXRlIA0KIGJ5ICogbm9uZQ==
olcAccess:: ezJ9dG8gZG4uYmFzZT0iIg0KIGJ5ICogcmVhZA==
olcAccess:: ezN9dG8gKg0KIGJ5IHNlbGYgd3JpdGUNCiBieSBkbi5leGFjdD0iZ2lkTnVtYmVyPTArdWlkTnVtYmVyPTAsY249cGVlcmNyZWQsY249ZXh0ZXJuYWwsY249YXV0aCIgbWFuYWdlDQogYnkgZG4uZXhhY3Q9ImNuPXNhbWJhLGRjPWRpcmVjdG9yeSxkYz1uaCIgcGVlcm5hbWUuaXA9IjEyNy4wLjAuMSIgd3JpdGUgDQogYnkgZG4uZXhhY3Q9ImNuPXBhbSxkYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLnBhdGg9Ii92YXIvcnVuL2xkYXBpIiB3cml0ZSANCiBieSBkbi5leGFjdD0iY249bGlidXNlcixkYz1kaXJlY3RvcnksZGM9bmgiIHBlZXJuYW1lLmlwPSIxMjcuMC4wLjEiIHdyaXRlIA0KIGJ5IHVzZXJzIHNzZj03MSByZWFkIA0KIGJ5ICogcmVhZA==
You can import this with this command:
ldapmodify -Y EXTERNAL -f filename.ldif
No need to restart openldap, external queries will be accepted instantaneously.
BIG FAT WARNING:
I’ve still not tested the security implications of these modifications. I will do it in future (I hope :))