[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema not available with restrictive ACLs

Um, hmm, not sure what to say. I did try it (and found the problem) and did
post it. :)

Here it again, just in case:

access to attrs=userPassword
        by * auth

access to dn=".*,ou=People,dc=example,dc=com"
        by dn="uid=app,ou=Accounts,dc=example,dc=com" write
        by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
        by dn="uid=app3,ou=Accounts,dc=example,dc=com" read

These ACLs don't allow tools such as LDAP Administrator to view the schema.
It seems some tools want to view the schema anonymously.

So my question all boiled down to if there was a:

access to schema
    by * read

Style solution? Or another way that I need to approach this? Or do I just
resign myself to not allowing anyone view the schema if I want to lock down
access to our directory using auth-only users.

I was looking for a solution. I'm not aware of one, and don't see one in the


----- Original Message -----
From: "Tony Earnshaw" <tonye@billy.demon.nl>
To: "Openldap list" <openldap-software@OpenLDAP.org>
Sent: Sunday, May 16, 2004 1:50 PM
Subject: Re: Schema not available with restrictive ACLs

> søn, 16.05.2004 kl. 18.04 skrev adp:
> > I should have made more clear that "access to schema" was entirely made
> > by me. I know that is really invalid. I was just trying to make it clear
> > what I wanted to do. AD lets you do this for example. You can access the
> > schema, but anything past that requires authentication.
> >
> > Hmm.. time to rephrase I think.
> >
> > My question can be summed up as this: How can I ensure all applications
> > access my schema while still restricting access to everything in my LDAP
> > directory to auth users only?
> Why not just get stuck in and do it? When it doesn't work and you've
> read all the man pages, archives, FAQs and Internet/archive stuff that
> you can and it then still doesn't work, say what didn't work, and post
> here :) I just had to "invent" a working ACL/schema for a new
> authentication/ SASL smtp/IMAP mail/ SASL Openldap conglomeration for a
> largish high school and hadn't got the faintest idea of what actually
> was going to /work/ until before I'd drawn it all up and then tried it
> out in practice. Turned out a couple of things needed a completely
> different approach than I'd thought in the first place, but I wouldn't
> have found out if I hadn't tried it out.
> Best,
> --Tonni
> --
> We make out of the quarrel with others rhetoric
> but out of the quarrel with ourselves, poetry.
> mail: billy - at - billy.demon.nl
> http://www.billy.demon.nl