[Date Prev][Date Next] [Chronological] [Thread] [Top]

Backend "access" directive is triggered when searching on RootDSE (ITS#1147)

Full_Name: Rafael Corvalan
Version: 2.0.7-14
OS: RedHat Linux 7.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

According to the OpenLDAP 2.0 Administrator Guide (Chapter 5.4), a directive
"access to * by * read" on the global configuration section would apply "when
the target objects are not under the control of any databse (such as the Root

Here is an extract of a slapd.conf:

# Global directives
<... skiped lines ...>
access to * by * read
<... skiped lines ...>

database ldbm
directory /var/lib/ldap
suffix          "dc=company, dc=com"
suffix          "dc=company1, dc=com"
<... skiped lines ...>
access to attr=userPassword
            by self write
            by anonymous auth
access to attr=telephoneNumber
            by self write
            by * read
access to * by users read

According to the Admin Guide, the following command:
ldapsearch -h localhost -b '' -s base -x +
should return all the attributes of the rootDSE. But this doesn't work.

If I replace the last line by:
access to dn="(.*,)?dc=company1?,dc=com" by users read
it works. I can anonymously get the RootDSE attributes.

This means that the last "access" directive of the ldbm backend has been
triggered for a request where there were no database requested.

Is it a normal behaviour? (and don't think so, and if it is the case, the Admin
Guide is wrong).