[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema not available with restrictive ACLs

To: "Openldap list" <openldap-software@OpenLDAP.org>
Subject: Re: Schema not available with restrictive ACLs
From: "adp" <dap99@i-55.com>
Date: Sun, 16 May 2004 11:04:38 -0500
References: <016601c439de$dca80ba0$8800020a@yourqqh4336axf> <1084573795.11445.44.camel@localhost>

I should have made more clear that "access to schema" was entirely made up
by me. I know that is really invalid. I was just trying to make it clear
what I wanted to do. AD lets you do this for example. You can access the
schema, but anything past that requires authentication.

Hmm.. time to rephrase I think.

My question can be summed up as this: How can I ensure all applications can
access my schema while still restricting access to everything in my LDAP
directory to auth users only?

----- Original Message -----
From: "Tony Earnshaw" <tonye@billy.demon.nl>
To: "Openldap list" <openldap-software@OpenLDAP.org>
Sent: Friday, May 14, 2004 5:29 PM
Subject: Re: Schema not available with restrictive ACLs


> fre, 14.05.2004 kl. 20.10 skrev adp:
>
> > Hi again! I was working to clamp down on our openldap server with ACLs
and
> > noticed that some tools that expect to see the schema from the LDAP
server
> > (I believe this is always made available to an LDAP client, even when
using
> > an anon. bind) failed. Is there a way I can stop anon. connections but
still
> > allow schema viewing?
>
> Very recent versions prohibit anonymous binds by default. You could stop
> viewing of everything until authenticated with strict ACLs (man
> slapd.access). Though you can always view the schemas.
>
> > Our ACLs basically consists of this:
> >
> > access to attrs=userPassword
> >         by * auth
> >
> > access to dn=".*,ou=People,dc=example,dc=com"
> >         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> >         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> >         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> >
> > I read the slapd.conf manpage and I didn't see anything specific to ACLs
and
> > schemas.
>
> slapd.access - but for the best things, make sure you have the most
> recent OL version - preferably 2.2.11.
>
> > I was thinking of something along the lines of:
> >
> > access to schema
> >         by * read
>
> There is no objectclass or other attribute called "schema". Both are
> properties of a "schema".
>
> > access to attrs=userPassword
> >         by * auth
> >
> > access to dn=".*,ou=People,dc=example,dc=com"
> >         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> >         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> >         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
>
> Why not? The sky's the limit. Though you'll soon get to do with hard
> facts - for example everyone in a posixaccount must be able to see
> others' posixaccount details as they would see them in /etc/password -
> or with 'getent passwd person', 'id person' - or things "break". But
> other attributes can be hidden with ACLs.
>
> --Tonni
>
> --
>
> We make out of the quarrel with others rhetoric
> but out of the quarrel with ourselves, poetry.
>
> mail: billy - at - billy.demon.nl
> http://www.billy.demon.nl
>
>

Follow-Ups:
- Re: Schema not available with restrictive ACLs
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- Schema not available with restrictive ACLs
  - From: "adp" <dap99@i-55.com>
- Re: Schema not available with restrictive ACLs
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: openldap2.2.11 configuration failed
Next by Date: Re: openldap2.2.11 configuration failed
Index(es):
- Chronological
- Thread