[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=Subschema and acl

On Fri, Jan 22, 2010 at 08:28:52AM +1100, Alex Samad wrote:
> On Thu, Jan 21, 2010 at 12:03:32PM +0100, Jonathan Clarke wrote:
> > On 01/20/2010 07:17 AM, Alex Samad wrote:
> > >Hi
> > >
> > >I was wonder were do I place acl for cn=Subschema as there doesn;t seems
> > >to be a db defined for it or is it the same as cn=schmea ?
> > 
> > Regardless of which database it is attached to, you can define any
> > ACLs in the global section of the configuration file (before any
> > database declarations).
> I am using cn=config/dynamic config so I am not using any slapd.conf.
> from my reading of slapd-config I gather this is not the same,
> cause I can put it in olcDatabase=frontend,cn=config which is like a
> default and the man page seems to suggest that you put acl's with the
> db's they are mean to control (although now that I re read it, it seems
> like the acl's are all meant to be in the frontend db).

More investigation from 


When evaluating whether some requester should be given access to an
entry and/or attribute, slapd compares the entry and/or attribute to the
<what> selectors given in the configuration. For each entry, access
controls provided in the database which holds the entry (or the global
access directives if not held in any database) apply first, followed by
the global access directives (which are held in the frontend database
definition). However, when dealing with an access list, because the
global access list is effectively appended to each per-database list, if
the resulting list is non-empty then the access list will end with an
implicit access to * by * none directive. If there are no access
directives applicable to a backend, then a default read is used.

so to me it read

database acl first
frontend acl's

so is it best practice to put everything in the frontend ?

I have been thing about setting up a 2 node multi master & 3 nodes of
just consumer nodes.  These consumer nodes might consume from other
areas as well.

My Issue has been how to replicate the acl's with out replicating a lot
cn=config.  My thought was to place all the db acl's in the
olcDatabase={2}hdb,cn=config record and then allow repication of this
with the same dn that is allowed to replicate the actual db.

from there I got to thinking about cn=schema and where was the best
place to place the acls.  Taking into consideration that I might want to
have different schema's loaded on difference consumers (not the multi


> > 
> > Hope this helps,
> > Jonathan
> > 

"The best way to find these terrorists who hide in holes is to get people coming forth to describe the location of the hole, is to give clues and data."

	- George W. Bush
Washington, DC

Attachment: signature.asc
Description: Digital signature