[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Connection failures from OS X, appears to be TLS-related

Ben Beuchler wrote:
On 5/22/06, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
> Care to share the ACL you're using?  I've tried both of these:

In the global section (before any "database" lines), first access line:

access to dn.exact=""
        by * none

So with that in place, I lose access to any of the other configuration-related entries. For example, some of the GUI LDAP tools (e.g., JXplorer) want to use the data from subschemaSubentry to find the available objectClasses (by looking in cn=Subschema).

Clearly I can fix this by making the very next line after the above
ACL something like this:

access to dn.subtree=""
       by * read

However, that's a little disconcerting.  What are the default
permissions on this "metadata" section of the tree?  Is  'by * read' a
reasonable choice?

Use access to dn.exact="" instead; dn.subtree="" means everything on the server.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/