[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)



Goodday.

> At 10:55 AM 2/23/2003, Ace Suares wrote:
> >In 2.1.12 in doc/man5/slapd.access.5 is some information, the same as in
> > the ldap admin guide 2.1 as far as I can see. It's not clear to me where
> > the 'system' entries are listed and that there are system entires at all
> > and how to put ACL's on them.
>
> The admin guide clarifies this:
>         As this is the first database, the controls also apply
>         to entries not held in any database (such as the Root DSE).

This didn't clarufy anything for me (but bear with me for a moment).

> I've added a clarification to slapd.access(5) as well.

Is this the slapd.access(5) in the latest cvs release (called HEAD if I am
 not mistaken) or can I find this in 2.1.12 ?

{snip}

> The root DSE (DSA-specific entry) is the entry at the
> root of the DSA Information Tree.  DSA here means "directory
> server agent".  The empty DN refers to the root DSE.

Prompted by your explanation how to read log files (which was a great help!)
I started studying these requests for "" (the Root DSE).

first, I discoverd that 'search' access was needed for "" "objectClass".
I added a rule:

access to attr=objectclass
	by users search

Then, the next things that needed read access came up, and I added a rule:

access to attr=entry,namingContexts,subschemaSubentry
	by users read

Then, still stuff needs to be given access to:

Feb 25 02:35:42 curacao slapd[800]: => acl_mask: access to entry
"cn=Subschema", attr "entry" requested
{snip}
Feb 25 02:35:42 curacao slapd[800]: => acl_get: [1] check attr ldapSyntaxes
{snip}
Feb 25 02:35:42 curacao slapd[800]: => acl_get: [1] check attr matchingRules

and so on.

Now, I seem to have discoverd at least *something* - that there where ACL's
for system attributes and the root DSE missing (I hope I phrase this
correctly).

But, rather then going on readng the logfiles and adding rules that will give
probably to much access to things I don't know of, I'd like to ask two
questions:

1. is it normal that these things (whatever they are) need to be defined by
me, the admin (or user if you prefer) ?

2. if so, where can I find a list of all the things I need to give ACL's for
 ?

I am totally flabbergasted. I can't find any reference to these 'things' in
any of the standard docs (man pages and admin guide).

In the example slapd.conf deliverd with 2.0.23 there is also nothing special,
the acl's in that file are:

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
        by dn="cn=admin,dc=suares,dc=an" write
        by anonymous auth
        by self write
        by * none

# The admin dn has full write access
access to *
        by dn="cn=admin,dc=suares,dc=an" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,o=morsnet"
        by dn="cn=admin,dc=suares,dc=an" write
        by dnattr=owner write


And that's it.

Thank you in advance for any clarification. (I feel that somehow there is an
essential part of my ldap installation missing, could that be the case ?)

Ace