[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema not available with restrictive ACLs

søn, 16.05.2004 kl. 23.42 skrev adp:

> Um, hmm, not sure what to say. I did try it (and found the problem) and did
> post it. :)

Bit abrupt, I admit. But one should make clear what one's done.

> Here it again, just in case:
> access to attrs=userPassword
>         by * auth
> access to dn=".*,ou=People,dc=example,dc=com"
>         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
>         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
>         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> These ACLs don't allow tools such as LDAP Administrator to view the schema.
> It seems some tools want to view the schema anonymously.

As Pierangelo points out (hints, at any rate), there has been a big
difference from ACL syntax (and what ACLs accomplish) from when I
started, with 2.1.8 to what 2.2.11 can do and will accept. I don't know
what LDAP Administrator will do, but all schemas are visible anonymously
with GQ 1.0b1 and OL 2.2.11, with the initial ACLs (as noted by Ace):

access to dn.base=""
  by * read

access to dn.base="cn=Subschema"
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by * read

Turbo's 2nd ldapsearch command line works as well with these ACLs, which
are normally necessary anyway.

If you haven't set up production yet, I'd strongly advise jumping in at
the deep end and going for >= 2.2.11. A couple of people are having
replication problems, but 2.2.11's unusually robust and fast when the DB
and indices have been optimized (earlier 2.2 versions were not and
2.1.30 still isn't as robust as 2.2.30). At least, that's my experience




We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl