[Date Prev][Date Next]
Re: Schema not available with restrictive ACLs
-----BEGIN PGP SIGNED MESSAGE-----
I think you should give access to the root dn
like this (as the first ACL):
access to ""
by * read
It bugged my head quite a time and I asked a couple of times on this list a
year ago or so and got no answers :-)
> Um, hmm, not sure what to say. I did try it (and found the problem) and did
> post it. :)
> Here it again, just in case:
> access to attrs=userPassword
> by * auth
> access to dn=".*,ou=People,dc=example,dc=com"
> by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> These ACLs don't allow tools such as LDAP Administrator to view the schema.
> It seems some tools want to view the schema anonymously.
> So my question all boiled down to if there was a:
> access to schema
> by * read
> Style solution? Or another way that I need to approach this? Or do I just
> resign myself to not allowing anyone view the schema if I want to lock down
> access to our directory using auth-only users.
> I was looking for a solution. I'm not aware of one, and don't see one in
> the manpages.
> ----- Original Message -----
> From: "Tony Earnshaw" <email@example.com>
> To: "Openldap list" <openldap-software@OpenLDAP.org>
> Sent: Sunday, May 16, 2004 1:50 PM
> Subject: Re: Schema not available with restrictive ACLs
> > søn, 16.05.2004 kl. 18.04 skrev adp:
> > > I should have made more clear that "access to schema" was entirely made
> > > by me. I know that is really invalid. I was just trying to make it
> > > clear what I wanted to do. AD lets you do this for example. You can
> > > access the schema, but anything past that requires authentication.
> > >
> > > Hmm.. time to rephrase I think.
> > >
> > > My question can be summed up as this: How can I ensure all applications
> > > access my schema while still restricting access to everything in my
> > > LDAP directory to auth users only?
> > Why not just get stuck in and do it? When it doesn't work and you've
> > read all the man pages, archives, FAQs and Internet/archive stuff that
> > you can and it then still doesn't work, say what didn't work, and post
> > here :) I just had to "invent" a working ACL/schema for a new
> > authentication/ SASL smtp/IMAP mail/ SASL Openldap conglomeration for a
> > largish high school and hadn't got the faintest idea of what actually
> > was going to /work/ until before I'd drawn it all up and then tried it
> > out in practice. Turned out a couple of things needed a completely
> > different approach than I'd thought in the first place, but I wouldn't
> > have found out if I hadn't tried it out.
> > Best,
> > --Tonni
> > --
> > We make out of the quarrel with others rhetoric
> > but out of the quarrel with ourselves, poetry.
> > mail: billy - at - billy.demon.nl
> > http://www.billy.demon.nl
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----