[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Backend "access" directive is triggered when searching on Roo tDSE (ITS#1147)

OK, thanks a lot for your answer.
I've read the admin guide and didn't found this information,
but I will re-read it again ;-)

Just let me comment this behaviour. This means that the order
in which you put the databases configuration is important, and
you should think it twice before adding a new database
configuration before the first one. Also, before changing the
access lists of the first database defined, we have to check
if there are no conflicts with the access lists wanted for
non-database entries...
Bah, it's not really important, provided we know it.


-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: lundi, 14. mai 2001 05:45
To: Rafael.Corvalan@linkvest.com
Cc: openldap-its@OpenLDAP.org
Subject: Re: Backend "access" directive is triggered when searching on
RootDSE (ITS#1147)

That's the intended behavior.  That is, for entries not within
a database, the first database rules apply (followed by any
global ACLs which may be in place).  The admin guide notes this
further down... but I agree that the section you refer to needs
to reworded.


At 08:04 PM 5/13/01, Rafael.Corvalan@linkvest.com wrote:
>Full_Name: Rafael Corvalan
>Version: 2.0.7-14
>OS: RedHat Linux 7.1
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (
>According to the OpenLDAP 2.0 Administrator Guide (Chapter 5.4), a
>"access to * by * read" on the global configuration section would apply
>the target objects are not under the control of any databse (such as the
>Here is an extract of a slapd.conf:
># Global directives
><... skiped lines ...>
>access to * by * read
><... skiped lines ...>
>database ldbm
>directory /var/lib/ldap
>suffix          "dc=company, dc=com"
>suffix          "dc=company1, dc=com"
><... skiped lines ...>
>access to attr=userPassword
>            by self write
>            by anonymous auth
>access to attr=telephoneNumber
>            by self write
>            by * read
>access to * by users read
>According to the Admin Guide, the following command:
>ldapsearch -h localhost -b '' -s base -x +
>should return all the attributes of the rootDSE. But this doesn't work.
>If I replace the last line by:
>access to dn="(.*,)?dc=company1?,dc=com" by users read
>it works. I can anonymously get the RootDSE attributes.
>This means that the last "access" directive of the ldbm backend has been
>triggered for a request where there were no database requested.
>Is it a normal behaviour? (and don't think so, and if it is the case, the
>Guide is wrong).