[Date Prev][Date Next]
Re: [LDAP-SOFTWARE] ACLand regex (matching self)
again, these questions, could you help me with a (real) answer ?
> >> 1. is it normal that these things (whatever they are) need to be defined
> >> by me, the admin (or user if you prefer) ?
> >> 2. if so, where can I find a list of all the things I need to give ACL's
> >> for ?
> >Feb 25 03:10:04 curacao slapd: => access_allowed: search access to
> >"cn=Subschema" "objectClass" requested
> Well, what policy are you attempting to implement?
I try to implement a policy based on all the entries I entered. But there seem
to be more (hidden, unknown) entries, that interfere with my entries and
ACL's. The rootDSE is one of them. are there more ? What is the full list of
entries that are made by the system itself and to which of them I should
grant acces to read, write, search, whatever ?
As you remember, this thread started off with a lot of confusion on my side. I
am much closer to understanding what is happening now, but I miss this
essential part of information. I've never heard of 'cn=Subschema' and I
didn't create it myself. Isn't it only fair that you or anyone else tells me
what's under the hood ?
And 'use the source, Luke' won't do ;)
I looked at the source but the C-code is for me like a... bulgarian ( I know
some of it but not enough to survive).
Some critique: I find it strange that my ACL's and my LDIF entries are not the
only thing I have to think about. Why should I think of the Root DSE ? Fact
is, without the rootdse access, my ACL's are *not* behaving like they should.
> >So, now I suspect that somewhere a DN 'cn=Subschema' must exist. But, that
> > is not in the root DSE anymore, if I understand this correctly.
> The subschema has never been published in the root DSE. It's
> published in a subschema subentry called (unless you change it)
> >Do I need to make these dn's or are they 'system' dn's ?
> The server always "makes" them... Whether they are accessible
> or not depends upon what access controls you put in place.