[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Backend "access" directive is triggered when searching on RootDSE (ITS#1147)
That's the intended behavior. That is, for entries not within
a database, the first database rules apply (followed by any
global ACLs which may be in place). The admin guide notes this
further down... but I agree that the section you refer to needs
to reworded.
Kurt
At 08:04 PM 5/13/01, Rafael.Corvalan@linkvest.com wrote:
>Full_Name: Rafael Corvalan
>Version: 2.0.7-14
>OS: RedHat Linux 7.1
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (194.209.53.20)
>
>
>Hi,
>According to the OpenLDAP 2.0 Administrator Guide (Chapter 5.4), a directive
>"access to * by * read" on the global configuration section would apply "when
>the target objects are not under the control of any databse (such as the Root
>DSE)".
>
>Here is an extract of a slapd.conf:
>
>===================================
># Global directives
><... skiped lines ...>
>access to * by * read
><... skiped lines ...>
>
>database ldbm
>directory /var/lib/ldap
>suffix "dc=company, dc=com"
>suffix "dc=company1, dc=com"
><... skiped lines ...>
>access to attr=userPassword
> by self write
> by anonymous auth
>
>access to attr=telephoneNumber
> by self write
> by * read
>
>access to * by users read
>===================================
>
>According to the Admin Guide, the following command:
>ldapsearch -h localhost -b '' -s base -x +
>should return all the attributes of the rootDSE. But this doesn't work.
>
>If I replace the last line by:
>access to dn="(.*,)?dc=company1?,dc=com" by users read
>it works. I can anonymously get the RootDSE attributes.
>
>This means that the last "access" directive of the ldbm backend has been
>triggered for a request where there were no database requested.
>
>Is it a normal behaviour? (and don't think so, and if it is the case, the Admin
>Guide is wrong).
>
>Thanks
>Rafael