[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems in OpenLDAP 2.4.11

To: John Du <jjohndu@gmail.com>
Subject: Re: Problems in OpenLDAP 2.4.11
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 21 Apr 2009 15:19:14 +0200
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@openldap.org
In-reply-to: <49ECD78A.6000903@gmail.com>
References: <49E762D1.1040709@gmail.com> <87prf9ripi.fsf@rubin.l4b.de> <49ECD78A.6000903@gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16

John Du wrote:
> I fixed the two problems.
> 
> Problem one was fixed by adding an "access to dn.subtree="cn=SubSchema
> by * read".

This should be sufficient since the subschema subentry is a single entry:

access to dn.base="cn=Subschema" by * read

> I thought the root DN is not subject any access control rules but that
> does not seem to be the case.

Indeed no ACLs are applied when effectively binding as rootdn. What
makes you think that this is not the case.

>  I do not understand why I have to add the
> index for the new server but not for the old one.

The problem is if you added an index directive to slapd.conf but did not
re-index slapd looks into the index database file and the old entries
are not there yet. So the entry is not returned as search result. This
might make you think that access control prevents the entry from being
returned.

Also be sure that all the database files have the right
ownership/permissions when manually re-indexing them.

Ciao, Michael.

References:
- Problems in OpenLDAP 2.4.11
  - From: John Du <jjohndu@gmail.com>
- Re: Problems in OpenLDAP 2.4.11
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Problems in OpenLDAP 2.4.11
  - From: John Du <jjohndu@gmail.com>

Prev by Date: Syncrepl behavior when disk is full
Next by Date: Re: slapd leaking memory on i386?
Index(es):
- Chronological
- Thread