[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=config && (ACI || ACL)



Turbo Fredriksson wrote:
> I managed to get cn=config working by following
> http://www.openldap.org/faq/index.cgi?_highlightWords=cn%20config&file=1365
> to the letter (meaning: I had to setup a rootdn/rootpw pair
> to be able to do searches).
> 
> How can this be used, _without_ using the rootdn/rootpw?

You can't.  Only the rootdn can access the cn_config database.  However,
you don't have to use the rootpw: any other means to auth the rootdn
(read: SASL, or in-directory credentials for a rootdn that's actually a
DN in another database) is just fine.

> I want
> ordinary users to be able to search/modify 'stuff' there (eventually,
> when I know exactly what it is and how to use it :).

Not 100% sure; but you should be able to use proxied authorization for
this (RFC 4370).

> I tried 'access to * by * write' as only ACL, but I _still_ got
> 'Insufficient access' whether or not I authenticated...
> And running with '-d 128' shows NOTHING for anonymous access
> (and only 'auth access to userPassword' when using bind DN).
> 
> 
> Also (when on the subject of cn=config), in what way is
> 'cn=schema,cn=config' different from 'cn=Subschema'?
> The devil is in the details, but why wasn't 'cn=Subschema'
> enough? It have everything (?) that 'cn=schema,cn=config'
> have... ?

cn=subschema is to __expose__ schema; cn=schema,cn=config is to
administer it.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------