[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: schema access must not be crontrolled by ACL (ITS#2706)

At 07:13 AM 9/9/2003, suomi@ayni.com wrote:
>Full_Name: suomi hasler
>Version: openldap-2.1.22-1
>OS: Linux  2.4.19-4GB
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (
>i am intending to use LDAP for nss purpose. to this aim, i install as
>restrictive ACLs as possible. But when i installed the following ACL:
>access to *
>        by dn="cn=suomi,ou=pam-ldap,dc=ayni,dc=com"     write
>        by dn="cn=manager,dc=ayni,dc=com"     write
>        by self write
>        by anonymous none
>i could not even read such basic things as the namingcontext and the schema any


>rfc 2251 says (3.2.2)
>   Servers which follow X.500(93) models SHOULD implement subschema
>   using the X.500 subschema mechanisms, and so these subschemas are not
>   ordinary entries.  LDAP clients SHOULD NOT assume that servers
>   implement any of the other aspects of X.500 subschema.  A server
>   which masters entries and permits clients to modify these entries
>   MUST implement and provide access to these subschema entries, so that
>   its clients may discover the attributes and object classes which are
>   permitted to be present. It is strongly recommended that all other
>   servers implement this as well.

The sentence is misleading (LDAPbis should clarify this).
Servers are free to subject any and all information they provide to
access control.