[Date Prev][Date Next] [Chronological] [Thread] [Top]

schema access must not be crontrolled by ACL (ITS#2706)

Full_Name: suomi hasler
Version: openldap-2.1.22-1
OS: Linux  2.4.19-4GB
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

i am intending to use LDAP for nss purpose. to this aim, i install as
restrictive ACLs as possible. But when i installed the following ACL:

access to *
        by dn="cn=suomi,ou=pam-ldap,dc=ayni,dc=com"     write
        by dn="cn=manager,dc=ayni,dc=com"     write
        by self write
        by anonymous none

i could not even read such basic things as the namingcontext and the schema any

rfc 2251 says (3.2.2)

   Servers which follow X.500(93) models SHOULD implement subschema
   using the X.500 subschema mechanisms, and so these subschemas are not
   ordinary entries.  LDAP clients SHOULD NOT assume that servers
   implement any of the other aspects of X.500 subschema.  A server
   which masters entries and permits clients to modify these entries
   MUST implement and provide access to these subschema entries, so that
   its clients may discover the attributes and object classes which are
   permitted to be present. It is strongly recommended that all other
   servers implement this as well.

that lets me think that entries like the namingcontext and the schema must not
be protected by ACL.