Re: cn=Subschema and acl

[Howard Chu <hyc@symas.com>]

Quanah Gibson-Mount wrote:
> --On Friday, January 22, 2010 8:28 AM +1100 Alex Samad <alex@samad.com.au> 
> wrote:
> 
>> On Thu, Jan 21, 2010 at 12:03:32PM +0100, Jonathan Clarke wrote:
>>> On 01/20/2010 07:17 AM, Alex Samad wrote:
>>>> Hi
>>>>
>>>> I was wonder were do I place acl for cn=Subschema as there doesn;t
>>>> seems to be a db defined for it or is it the same as cn=schmea ?
>>>
>>> Regardless of which database it is attached to, you can define any
>>> ACLs in the global section of the configuration file (before any
>>> database declarations).
>>
>> I am using cn=config/dynamic config so I am not using any slapd.conf.
>>
>> from my reading of slapd-config I gather this is not the same,
>>
>> cause I can put it in olcDatabase=frontend,cn=config which is like a
>> default and the man page seems to suggest that you put acl's with the
>> db's they are mean to control (although now that I re read it, it seems
>> like the acl's are all meant to be in the frontend db).
> 
> There are still global level ACLs that don't apply to a database.  Like 
> cn=subschema.
> 
> For example in my DB:
> 
> [root@freelancer cn=config]# grep olcA olcDatabase\=\{-1\}frontend.ldif
> olcAccess: {0}to *  by dn.children="cn=admins,cn=zimbra" write  by * +0 
> break
> olcAccess: {1}to dn.base=""  by * read
> olcAccess: {2}to dn.base="cn=subschema"  by * read

Just to clarify - what used to be considered "global" for a lot of these
settings is now owned by the frontendDB, ever since OpenLDAP 2.3.

Now (since 2.3) "global" settings are only those which affect the entire slapd
environment - such as loglevel, number of threads, etc.

ACLs, and other settings which affect particular database operations, are all
associated to a specific DB. "Global ACLs" are those which are configured on
the frontendDB.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/