Re: Solved: Re: Possible ACL Issue while try to read Root DSE

[Dieter KlÃnter <dieter@dkluenter.de>]

Am Thu, 01 Dec 2011 10:26:32 +0100
schrieb Axel Birndt <towerlexa@gmx.de>:

> Hi Dieter,
> 
> Am 01.12.2011 09:27, schrieb Dieter KlÃnter:
> > Am Wed, 30 Nov 2011 22:05:24 +0100
> > schrieb Axel Birndt<towerlexa@gmx.de>:
> 
> >> Is this security conform? Or it is better to allow only
> >> authenticated Users to read this?
> >>
> >> Are there any best practices for this?
> >
> > dn.base="" exposes rootDSE which has to be read by any client, so
> > this should be anonymous readable, same applies to cn=subschema as
> > clients have to know the attribute types and objectclasses
> > available. But nobody should have access to schema database, so
> > remove rule {1}
> 
> thanks for your hint.
> 
> I changed my rules now to this:
> 
> - for olcDatabase={-1}frontend,cn=config
> 
> {0}to dn.base="" by * read
> {1}to dn.base="cn=Subschema" by * read
> {2}to * by 
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> manage by * break
> 
> - for olcDatabase={1}hdb,cn=config
> 
> {0}to attrs=userPassword,shadowLastChange by 
> dn="cn=admin,dc=2axels-company,dc=ro" write by anonymous auth by self 
> write by * none
> {1}to dn.base="" by * read
> {2}to dn.base="cn=Subschema" by * read
> {3}to * by dn="cn=admin,dc=2axels-company,dc=de" write by * read
> 
> In my opinion its not needed to have the rule {1} and {2} in the 
> "olcDatabase={1}hdb,cn=config" section? Right?

correct, there is no need for rule {1} and {2}, as this rules are not
database specific but belong to the frontend.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E