[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

--On Tuesday, March 04, 2003 9:01 PM +0100 Peter Marschall <peter.marschall@mayn.de> wrote:


On Tuesday 04 March 2003 11:41, Ace Suares wrote:

Is there anyone on the list that can help me with these questions ?
Howard, it seems you are updating the admin guide, and even have the
feeling that no one reads it. I check the admin guide several times a
week ;-) but can't find any additions as to the questions I raise.

Is there anybody on the list that experiences the same problems (that is,
ACL don't work as expected because there are hidden objects that need
some level of access ?)

AFAIK there is only one object that seems to be hidden: The tree root, with the name "" (the empty string between the quotes) This object is not hidden, but has simply an empty name which makes it hard to find. This object contains information about the directory: where to find the schema, which naming contexts are there, what LDAP controls/extensions the server supports, ...

All these informations are given in attributes of the rootDSE.
The values of these attributes may be DNs for branches in the
directory tree.
The most famous examples are the subschemaSubentry attribute which
contains the the DN of the schema and the namingContexts attribute
that contains the names of the top level nodes of your directory branches.

ldapsearch -b "" -s base '(objectclass=*)' +
gives you the information required.

All this and a lot more is well documented in RFC 2251 that describes


I disagree. I found with OpenLDAP, that we had to give access to the non-existent "entry" attribute for people to be able to have access into the directory system.

access to attr=entry
	by *read


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html