[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RootDSE question

Mike Carpenter wrote:

I am trying to get a LDAP Administrator program running according to their tech support I am not allowing my RootDSE to be read.

I have tried as both an "Administrator" and as the rootdn

I am using OpenLDAP 2.0.27-17 (RedHat RPM) and my security section of my conf file reads as follows..

access to attr=userPassword
by self write
by anonymous auth
by group/organizationalRole/roleOccupant="cn=LDAPAdmins,o=company,c=us" write
by * none

access to *
by self write
by group/organizationalRole/roleOccupant="cn=LDAPAdmins,o=company,c=us" write
by users read

access to dn=""
        by * read

I believe the last statement is what should give everyone read access to the rootDSE, but as you can probably tell I am not very versed in LDAP adminstration.
Any help would be greatly appreciated...

Access rules are evaluated in the order they're input, as indicated int the guide and in the man pages. As such, the second rule ("*") catches all, and the third (dn="") is never used. Reverse the order (changing the <what> clause in dn.base="") and you'll do the trick. Note that OpenLDAP 2.0 is historic ever since, and 2.1 is historic as well, so you might run into problems by running that software, so upgrade to latest 2.2 is strongly encouraged).

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497