[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=Subschema and acl

Alex Samad wrote:
> On Fri, Jan 22, 2010 at 08:28:52AM +1100, Alex Samad wrote:
>> On Thu, Jan 21, 2010 at 12:03:32PM +0100, Jonathan Clarke wrote:
>>> On 01/20/2010 07:17 AM, Alex Samad wrote:
>>>> Hi
>>>> I was wonder were do I place acl for cn=Subschema as there doesn;t seems
>>>> to be a db defined for it or is it the same as cn=schmea ?
>>> Regardless of which database it is attached to, you can define any
>>> ACLs in the global section of the configuration file (before any
>>> database declarations).
>> I am using cn=config/dynamic config so I am not using any slapd.conf.
>> from my reading of slapd-config I gather this is not the same,
>> cause I can put it in olcDatabase=frontend,cn=config which is like a
>> default and the man page seems to suggest that you put acl's with the
>> db's they are mean to control (although now that I re read it, it seems
>> like the acl's are all meant to be in the frontend db).
> More investigation from 
> http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration
> When evaluating whether some requester should be given access to an
> entry and/or attribute, slapd compares the entry and/or attribute to the
> <what> selectors given in the configuration. For each entry, access
> controls provided in the database which holds the entry (or the global
> access directives if not held in any database) apply first, followed by
> the global access directives (which are held in the frontend database
> definition). However, when dealing with an access list, because the
> global access list is effectively appended to each per-database list, if
> the resulting list is non-empty then the access list will end with an
> implicit access to * by * none directive. If there are no access
> directives applicable to a backend, then a default read is used.
> so to me it read
> database acl first
> frontend acl's
> so is it best practice to put everything in the frontend ?

Only if your entire ACL config is meant to apply uniformly to all the
databases in the server. Usually that won't be the case; people tend to create
multiple databases because different parts of their DIT need different settings.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/