[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)


Is there anyone on the list that can help me with these questions ?
Howard, it seems you are updating the admin guide, and even have the feeling 
that no one reads it. I check the admin guide several times a week ;-) but 
can't find any additions as to the questions I raise.

Is there anybody on the list that experiences the same problems (that is, ACL 
don't work as expected because there are hidden objects that need some level 
of access ?)

Should I file a bug report instead ? (There's a very reproducable anomaly in 
the effect that ACL's have when the rootDSE is not explicitly granted access 

Many greetings,

> HI Kurt,
> again, these questions, could you help me with a (real) answer ?
> > >> 1. is it normal that these things (whatever they are) need to be
> > >> defined by me, the admin (or user if you prefer) ?
> > >>
> > >> 2. if so, where can I find a list of all the things I need to give
> > >> ACL's for ?
> {snip}
> > >Feb 25 03:10:04 curacao slapd[864]: => access_allowed: search access to
> > >"cn=Subschema" "objectClass" requested
> >
> > Well, what policy are you attempting to implement?
> I try to implement a policy based on all the entries I entered. But there
> seem to be more (hidden, unknown) entries, that interfere with my entries
> and ACL's. The rootDSE is one of them. are there more ? What is the full
> list of entries that are made by the system itself and to which of them I
> should grant acces to read, write, search, whatever ?
> As you remember, this thread started off with a lot of confusion on my
> side. I am much closer to understanding what is happening now, but I miss
> this essential part of information. I've never heard of 'cn=Subschema' and
> I didn't create it myself. Isn't it only fair that you or anyone else tells
> me what's under the hood ?
> And 'use the source, Luke' won't do ;)
> I looked at the source but the C-code is for me like a... bulgarian ( I
> know some of it but not enough to survive).
> Some critique: I find it strange that my ACL's and my LDIF entries are not
> the only thing I have to think about. Why should I think of the Root DSE ?
> Fact is, without the rootdse access, my ACL's are *not* behaving like they
> should.
> TIA,
> Ace
> > >So, now I suspect that somewhere a DN 'cn=Subschema' must exist. But,
> > > that is not in the root DSE anymore, if I understand this correctly.
> >
> > The subschema has never been published in the root DSE.  It's
> > published in a subschema subentry called (unless you change it)
> > "cn=Subschema".
> >
> > >Do I need to make these dn's or are they 'system' dn's ?
> >
> > The server always "makes" them...  Whether they are accessible
> > or not depends upon what access controls you put in place.