[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [LDAP-SOFTWARE] ACLand regex (matching self)
- To: OpenLDAP-software@OpenLDAP.org
- Subject: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
- From: Ace Suares <ace@suares.nl>
- Date: Tue, 4 Mar 2003 14:41:52 +0400
- In-reply-to: <200302271752.44445.ace@suares.nl>
- References: <200302242313.54822.ace@suares.nl> <5.2.0.9.0.20030225212355.0285aa90@127.0.0.1> <200302271752.44445.ace@suares.nl>
Hello,
Is there anyone on the list that can help me with these questions ?
Howard, it seems you are updating the admin guide, and even have the feeling
that no one reads it. I check the admin guide several times a week ;-) but
can't find any additions as to the questions I raise.
Is there anybody on the list that experiences the same problems (that is, ACL
don't work as expected because there are hidden objects that need some level
of access ?)
Should I file a bug report instead ? (There's a very reproducable anomaly in
the effect that ACL's have when the rootDSE is not explicitly granted access
too).
Many greetings,
ace
> HI Kurt,
> again, these questions, could you help me with a (real) answer ?
>
> > >> 1. is it normal that these things (whatever they are) need to be
> > >> defined by me, the admin (or user if you prefer) ?
> > >>
> > >> 2. if so, where can I find a list of all the things I need to give
> > >> ACL's for ?
>
> {snip}
>
> > >Feb 25 03:10:04 curacao slapd[864]: => access_allowed: search access to
> > >"cn=Subschema" "objectClass" requested
> >
> > Well, what policy are you attempting to implement?
>
> I try to implement a policy based on all the entries I entered. But there
> seem to be more (hidden, unknown) entries, that interfere with my entries
> and ACL's. The rootDSE is one of them. are there more ? What is the full
> list of entries that are made by the system itself and to which of them I
> should grant acces to read, write, search, whatever ?
>
> As you remember, this thread started off with a lot of confusion on my
> side. I am much closer to understanding what is happening now, but I miss
> this essential part of information. I've never heard of 'cn=Subschema' and
> I didn't create it myself. Isn't it only fair that you or anyone else tells
> me what's under the hood ?
>
> And 'use the source, Luke' won't do ;)
> I looked at the source but the C-code is for me like a... bulgarian ( I
> know some of it but not enough to survive).
>
> Some critique: I find it strange that my ACL's and my LDIF entries are not
> the only thing I have to think about. Why should I think of the Root DSE ?
> Fact is, without the rootdse access, my ACL's are *not* behaving like they
> should.
>
> TIA,
>
> Ace
>
> > >So, now I suspect that somewhere a DN 'cn=Subschema' must exist. But,
> > > that is not in the root DSE anymore, if I understand this correctly.
> >
> > The subschema has never been published in the root DSE. It's
> > published in a subschema subentry called (unless you change it)
> > "cn=Subschema".
> >
> > >Do I need to make these dn's or are they 'system' dn's ?
> >
> > The server always "makes" them... Whether they are accessible
> > or not depends upon what access controls you put in place.