Re: Solved: Re: Possible ACL Issue while try to read Root DSE

[Axel Birndt <towerlexa@gmx.de>]

Hi Dieter,

Am 01.12.2011 09:27, schrieb Dieter KlÃnter:
> Am Wed, 30 Nov 2011 22:05:24 +0100
> schrieb Axel Birndt<towerlexa@gmx.de>:

> > Is this security conform? Or it is better to allow only authenticated
> > Users to read this?
> >
> > Are there any best practices for this?
>
> dn.base="" exposes rootDSE which has to be read by any client, so this
> should be anonymous readable, same applies to cn=subschema as clients
> have to know the attribute types and objectclasses available.
> But nobody should have access to schema database, so remove rule {1}

thanks for your hint.

I changed my rules now to this:

- for olcDatabase={-1}frontend,cn=config

{0}to dn.base="" by * read
{1}to dn.base="cn=Subschema" by * read
{2}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage 
by * break

- for olcDatabase={1}hdb,cn=config

{0}to attrs=userPassword,shadowLastChange by 
dn="cn=admin,dc=2axels-company,dc=ro" write by anonymous auth by self 
write by * none
{1}to dn.base="" by * read
{2}to dn.base="cn=Subschema" by * read
{3}to * by dn="cn=admin,dc=2axels-company,dc=de" write by * read

In my opinion its not needed to have the rule {1} and {2} in the 
"olcDatabase={1}hdb,cn=config" section? Right?

In the moment this results from my testing all around the ACL-Rules...


--


Gruà Axel

------------------------------