[Date Prev][Date Next]
Re: Schema not available with restrictive ACLs
Thanks to you and everyone else on your suggestions. I will be attempting a
And yes, we are in production with openldap-2.0 I believe (don't have access
right now). An upgrade would take a while for planning and testing.
----- Original Message -----
From: "Pierangelo Masarati" <email@example.com>
Sent: Monday, May 17, 2004 2:32 AM
Subject: Re: Schema not available with restrictive ACLs
> > Um, hmm, not sure what to say. I did try it (and found the problem) and
> > did post it. :)
> > Here it again, just in case:
> > access to attrs=userPassword
> > by * auth
> > access to dn=".*,ou=People,dc=example,dc=com"
> > by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> > by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> > by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> > These ACLs don't allow tools such as LDAP Administrator to view the
> > schema. It seems some tools want to view the schema anonymously.
> > So my question all boiled down to if there was a:
> > access to schema
> > by * read
> > Style solution? Or another way that I need to approach this? Or do I
> > just resign myself to not allowing anyone view the schema if I want to
> > lock down access to our directory using auth-only users.
> > I was looking for a solution. I'm not aware of one, and don't see one in
> > the manpages.
> I gues you missed how ACL selection does actually work.
> - If you don't supply any, the default is to give read privileges to all.
> - (subtle rule) global ACLs are evaluated after backend specific. If
> there aren't any, those of the first backend are used as global.
> - as soon as you supply one, the default access is "none", so, in your
> case, as soon as you gave auth privileges on userPassword and read/write
> access below People to a couple of DNs, you implicitly gave "none" access
> to everything else by anyone else. So, to gain anonymous access to
> rootDSE and schema, what you need is
> access to dn.exact=""
> by * read
> access to dn.exact="cn=Subschema"
> by * read
> Your idea of "access to schema" is interesting, but totally equivalent to
> the above, with the only advantage that a change in the schema name would
> be automatically reflected by ACLs. I don't much see this need.
> BTW, note that, as clearly written in slapd.access(5), your ACLs
> (assuminhg you're using 2.2) are wrong, because the default for "dn" is
> exact, so ".*,ou=People,dc=example,dc=com" is not a valid DN. Since you
> were not bailed out, this implies you're using an older version of
> OpenLDAP software. In any case, to obtain the "all subtree excluding the
> base branch" you are apparently trying to get, a more efficient solution,
> as written in slapd.access(5), would have been
> access to dn.children="ou=People,dc=example,dc=com"
> by dn="uid=app,ou=Accounts,dc=example,dc=com" write
> by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
> by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
> Pierangelo Masarati
> SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497