[Date Prev][Date Next]
Re: requesting clarification of use of config backend
For docs, see http://www.openldap.org/doc/admin23/slapdconf2.html
It is redundant to list the rootdn in any ACL clause; the rootdn always
has full privileges and ignores all ACLs. Listing the rootdn merely
makes ACL evaluation slower for regular users.
The order of directives in your slapd.conf snippets is wrong. The
"rootdn" directive must follow the relevant "database" directive if you
want it to apply to a particular database.
The config database currently does not honor ACLs; it is hardcoded to
only allow access to the rootdn.
There is an outstanding bug in 2.3.7 related to quoting/escaping values
in config directives. This bug has been fixed in HEAD. (ITS#3807) It's
likely that this bug will cause your ACL definitions to be parsed
incorrectly. You can pull the latest version of slapd/bconfig.c and
slapd/config.c from CVS to test.
Brian Reichert wrote:
I've recently begun to explore the config backend for OpenLDAP 2.3.7, and
and running into what appears to be an ACL issue, but I can't figure out
what I've done wrong, nor how to explore further.
What I think are pertinent snippets from my slapd.conf:
access to dn.subtree="cn=config"
by dn.exact="cn=manager,com=foo" write
by * read
I created my slapd.d directory:
# mkdir -p /etc/openldap/slapd.d
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
# mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.test
# chown -R ldap:ldap /etc/openldap/slapd.d/
slapd.d does seem to be fully populated, and slapd was successfully
restarted. But, when I attempt to search this database:
# ldapsearch -x -LLL -D cn=manager,com=foo -w foobar \
-b cn=config > /var/tmp/ldif.out
Insufficient access (50)
Does anyone see anything obviously wrong here? I had several
databases with identical ACLs, which I can search, so I know I have
my credentials right.
Running the server and ldapsearch with '-d -1' doesn't reveal
anything like UNIX permission errors.
Alas, I could not find a manpage for slapd.d, nor slapd-config, so
I'm running blind, here...
I'd appreciate any feedback you folks can provide.
Brian Reichert <firstname.lastname@example.org>
55 Crystal Ave. #286 Daytime number: (603) 434-6842
Derry NH 03038-1725 USA BSD admin/developer at large
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/