[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs applying to RootDSE



Matthew J. Smith wrote:
All-
  Section 5.4 of the online Handbook states, regarding ACLs:
"As this is the first database, the controls also apply to entries not
held in any database (such as the Root DSE)."

  It seems "funky" to me to have ACLs from one database definition apply
to data that does not exist in that database.  In the interest of
planning ahead, I'd like to ask: are there any plans to implement a
change in this behavior?  I see one of two approaches:
*Implement config sections to explicitly define Schema and RootDSE
params.
*Anything not explicitly defined in a database definitions falls under
the Global ACLs.

  I am just curious if there will be a change to this, as I find it a
little "awkward" trying to keep each set of database configs in it's own
modular location, and I don't necessarily have the same database listed
first in all replicas, so the ACLs can't necessarily be copied verbatim.

  Is there already a work-around that I am unaware of?  Is this a
problem for anyone else, or is it just me?


Define those ACLs before any database definition ...

ie:

[ assuming the rest of the config file such as schemas is above]

access to dn.exact=""
        by * read

access to dn.subtree="cn=Subschema"
        by * read

database bdb

[continue database definitions]

Regards,
Buchan

--
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)