[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Backend "access" directive is triggered when searching on RootDSE (ITS#1147)
Full_Name: Rafael Corvalan
Version: 2.0.7-14
OS: RedHat Linux 7.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.209.53.20)
Hi,
According to the OpenLDAP 2.0 Administrator Guide (Chapter 5.4), a directive
"access to * by * read" on the global configuration section would apply "when
the target objects are not under the control of any databse (such as the Root
DSE)".
Here is an extract of a slapd.conf:
===================================
# Global directives
<... skiped lines ...>
access to * by * read
<... skiped lines ...>
database ldbm
directory /var/lib/ldap
suffix "dc=company, dc=com"
suffix "dc=company1, dc=com"
<... skiped lines ...>
access to attr=userPassword
by self write
by anonymous auth
access to attr=telephoneNumber
by self write
by * read
access to * by users read
===================================
According to the Admin Guide, the following command:
ldapsearch -h localhost -b '' -s base -x +
should return all the attributes of the rootDSE. But this doesn't work.
If I replace the last line by:
access to dn="(.*,)?dc=company1?,dc=com" by users read
it works. I can anonymously get the RootDSE attributes.
This means that the last "access" directive of the ldbm backend has been
triggered for a request where there were no database requested.
Is it a normal behaviour? (and don't think so, and if it is the case, the Admin
Guide is wrong).
Thanks
Rafael