Re: Possible ACL Issue while try to read Root DSE

[Ondrej Kuznik <ondrej.kuznik@acision.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/29/2011 09:13 AM, Axel Birndt wrote:
> ldapsearch -x -D "" -s base -b "" -h localhost

You should expect a response exactly like this (unless your database
suffix is set to ""):

ldapsearch -x -D "" -s base -b "" -h localhost
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

According to your output, there is definitely some ACL issue at play.
Just like Quanah advised, look under olcDatabase={-1}frontend,cn=config
to see your global ACLs. Most likely you'll need to put something like
this as the very first rule there:
olcAccess: {0}to dn.base="" by * read

At least, of course. Some of the other ACL statements you listed in
olcDatabase={1}hdb,cn=config should also be under
olcDatabase={-1}frontend,cn=config to allow access to the schema.

- -- 
Ondrej Kuznik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7UoYYACgkQ9GWxeeH+cXshfgCffzn3aKp4caF4rlFHpqKeRG8X
EHAAnRTKef5wAhEyrsxDEragndybh0HE
=35aR
-----END PGP SIGNATURE-----

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.