Re: ldapsearch not returning namingContexts

["Dieter Kluenter" <dieter@dkluenter.de>]

ben thielsen <btb@bitrate.net> writes:

>>>> dn: olcDatabase={-1}frontend,cn=config
>>>> olcDatabase: {-1}frontend
>>>> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
>>> 
>>> this rule only allows root to access rootDSE via local socket, that is
>>> ldapi:///
>>> that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +
>>> 
>>> [...]
>> 
>> thank you - that explains it.  i'm left wondering how those acls for frontend and config got there - i don't recall ever explicitly setting them.  slapd isn't listening on a local socket, which would render them quite useless, right?

This is probably the default configutration of ubuntu. In order to
connect to slapd via a local socket, just add ldapi:/// to the init
script.

>> on a related note, regarding the frontend database - reading a bit
>> in the admin guide, my understanding is that the frontend database
>> is the appropriate location for such acls as olcAccess: to
>> dn.base="" by * read - is this correct?  i've done this, and the
>> behavior is now as i expect, but just curious about typical
>> practices.

Yes, this is correct.
>
> i've found this comment - http://www.mail-archive.com/openldap-technical@openldap.org/msg00491.html - which would seem to confirm my understanding of the frontend database as it relates to acls.=

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6