[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema not available with restrictive ACLs

To: <openldap-software@OpenLDAP.org>
Subject: Schema not available with restrictive ACLs
From: "adp" <dap99@i-55.com>
Date: Fri, 14 May 2004 13:10:37 -0500

Hi again! I was working to clamp down on our openldap server with ACLs and
noticed that some tools that expect to see the schema from the LDAP server
(I believe this is always made available to an LDAP client, even when using
an anon. bind) failed. Is there a way I can stop anon. connections but still
allow schema viewing?

Our ACLs basically consists of this:

access to attrs=userPassword
        by * auth

access to dn=".*,ou=People,dc=example,dc=com"
        by dn="uid=app,ou=Accounts,dc=example,dc=com" write
        by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
        by dn="uid=app3,ou=Accounts,dc=example,dc=com" read

I read the slapd.conf manpage and I didn't see anything specific to ACLs and
schemas.

I was thinking of something along the lines of:

access to schema
        by * read

access to attrs=userPassword
        by * auth

access to dn=".*,ou=People,dc=example,dc=com"
        by dn="uid=app,ou=Accounts,dc=example,dc=com" write
        by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
        by dn="uid=app3,ou=Accounts,dc=example,dc=com" read

Follow-Ups:
- Re: Schema not available with restrictive ACLs
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Best way to manage multiple accounts
Next by Date: Re: Preference for editing ACLs
Index(es):
- Chronological
- Thread