[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5625) memberOf search ACLs



Full_Name: Andrew Bartlett
Version: CVS HEAD
OS: Fedora 9
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (59.167.251.137)


>From thread on opendlap-technical:

> Hmm, I have the module loaded globally - perhaps I need a global rootdn
> of some kind defined?
> 
> I have one per-database (now), but the documentation strongly encourages
> one not to have a rootdn at all. 

The fix was to define rootdn globally (as the module operates globally),
and then to give it explicit manage access in an ACL.  eg

access to dn.subtree="${DOMAINDN}"
       by dn=cn=samba-admin,cn=samba manage
       by dn=cn=manager manage
       by * none

rootdn cn=Manager

Adding a rootdn to each database then quashed the warnings about 'rootdn
can always manage'.  

Otherwise, if I had 'by * read' then this also allowed the module to operate
correctly (but without the secrecy I desired)