[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

At 11:45 AM 2/24/2003, Ace Suares wrote:

>> 1. is it normal that these things (whatever they are) need to be defined by
>> me, the admin (or user if you prefer) ?
>> 2. if so, where can I find a list of all the things I need to give ACL's
>> for ?
>> I am totally flabbergasted. I can't find any reference to these 'things' in
>> any of the standard docs (man pages and admin guide).
>I found something on a mialing list for redhat 7.2
># Sample Access Control
>#       Allow read access of root DSE
>#       Allow self write access
>#       Allow authenticated users read access
>#       Allow anonymous users to authenticate
>#access to dn="" by * read
>#access to *
>#       by self write
>#       by users read
>#       by anonymous auth

This is the default slapd.conf provided with OpenLDAP 2.x....

>Of course, only the first acl is interesting:

Actually, what's interesting here is the part is the comment
just before the access control directives.  It summarizes an
access control policy.  Before you write one access control
statement, you should describe the policy to be implemented.

>#Allow read access of root DSE
>access to dn="" by * read
>I put the in my ACL, but then the next thing that went wrong is:
>Feb 25 03:10:04 curacao slapd[864]: => access_allowed: search access to 
>"cn=Subschema" "objectClass" requested

Well, what policy are you attempting to implement?

>So, now I suspect that somewhere a DN 'cn=Subschema' must exist. But, that is 
>not in the root DSE anymore, if I understand this correctly.

The subschema has never been published in the root DSE.  It's
published in a subschema subentry called (unless you change it)

>Do I need to make these dn's or are they 'system' dn's ?

The server always "makes" them...  Whether they are accessible
or not depends upon what access controls you put in place.