[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema not available with restrictive ACLs

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: Schema not available with restrictive ACLs
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Sat, 15 May 2004 00:29:56 +0200
In-reply-to: <016601c439de$dca80ba0$8800020a@yourqqh4336axf>
Organization: Billy
References: <016601c439de$dca80ba0$8800020a@yourqqh4336axf>

fre, 14.05.2004 kl. 20.10 skrev adp:

> Hi again! I was working to clamp down on our openldap server with ACLs and
> noticed that some tools that expect to see the schema from the LDAP server
> (I believe this is always made available to an LDAP client, even when using
> an anon. bind) failed. Is there a way I can stop anon. connections but still
> allow schema viewing?

Very recent versions prohibit anonymous binds by default. You could stop
viewing of everything until authenticated with strict ACLs (man
slapd.access). Though you can always view the schemas.

> Our ACLs basically consists of this:
> 
> access to attrs=userPassword
>         by * auth
> 
> access to dn=".*,ou=People,dc=example,dc=com"
>         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
>         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
>         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> 
> I read the slapd.conf manpage and I didn't see anything specific to ACLs and
> schemas.

slapd.access - but for the best things, make sure you have the most
recent OL version - preferably 2.2.11.

> I was thinking of something along the lines of:
> 
> access to schema
>         by * read

There is no objectclass or other attribute called "schema". Both are
properties of a "schema".

> access to attrs=userPassword
>         by * auth
> 
> access to dn=".*,ou=People,dc=example,dc=com"
>         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
>         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
>         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read

Why not? The sky's the limit. Though you'll soon get to do with hard
facts - for example everyone in a posixaccount must be able to see
others' posixaccount details as they would see them in /etc/password -
or with 'getent passwd person', 'id person' - or things "break". But
other attributes can be hidden with ACLs.

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

Follow-Ups:
- Re: Schema not available with restrictive ACLs
  - From: "adp" <dap99@i-55.com>

References:
- Schema not available with restrictive ACLs
  - From: "adp" <dap99@i-55.com>

Prev by Date: Re: Best way to manage multiple accounts
Next by Date: Re: Best way to manage multiple accounts
Index(es):
- Chronological
- Thread