[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: Can domain admins be filtered out with ACLs?

To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Subject: Re: Re: Can domain admins be filtered out with ACLs?
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Fri, 17 Apr 2015 08:21:39 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Yu1KqiLUGW9ZYeSeIyaKIHOf4EGI3GdS25M5MhZB9yI=; b=shoUCjLLm3N4KRahPrFVjA0Cik8skVZjWaNdSZensnh3cSjvF9G9dLe1WiXN0zi4DC Jli5vjstNlUeHcsgTK6lomc+0ukobFNecAY0RId7//1SZPShU8Lq7l/KbKDVYQ6QqLtM kiFHfEeJCFGX4Eom8LOucNSPwOUsLRTKKtn3TwTYWgxgfYU/AtcSRammyvQdjZ/x8aw2 7fQ4lvveHKaTnXjYQVooa7UMZynfYOmn4V4qM9fgpn7cQF+k0q857cYJsNZtNE2Kc+wK krskLrHvrzqV+ntaI7tMEFH3hVjUszt7PcPKrvtm5G5jhreq+QdAqxjvSHZOeSN0ekEA hqpA==
In-reply-to: <5530C111020000A100019E06@gwsmtp1.uni-regensburg.de>
References: <CAA1SNA25iD8CjFDDcCeikiXLfseCgwv06x4kGTW3NmXbtPvs0w@mail.gmail.com> <CAA1SNA2PyVhnUN1y_WFsAQ-DX1rDD-2w2qe8Ehg15FJrzFE2Hg@mail.gmail.com> <C40A1A2544EECEE4E75EA494@192.168.1.9> <5530C111020000A100019E06@gwsmtp1.uni-regensburg.de>

Hello Ulrich,

I do not doubt that you are right, yet what to understand.
Why would be rootdn necessary to fix ACLs when we have the config
database without RootDN and therefore that one is cannot be messed up
by applying a filter to the RootDN?

Not that I doubt wisdom of the design decisions.

For my goal, I am going to use olcHidden to achieve what I need
instead. If I cannot properly suspend a DIT, I get close to desired
results by hiding the database.

Sincerely,

Igor Shmukler

On Fri, Apr 17, 2015 at 8:15 AM, Ulrich Windl
<Ulrich.Windl@rz.uni-regensburg.de> wrote:
>>>> Quanah Gibson-Mount <quanah@zimbra.com> schrieb am 16.04.2015 um 20:38 in
> Nachricht <C40A1A2544EECEE4E75EA494@[192.168.1.9]>:
> [...]
>>>From the slapd.access(5) man page:
>>
>>        Be warned: the rootdn can always read and write EVERYTHING!
>
> ...and that is very helpful if you messed up your ACLs...
>
> [...]
>
> Regards,
> Ulrich
>
>

References:
- Can domain admins be filtered out with ACLs?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: Can domain admins be filtered out with ACLs?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: catch size and performance
Next by Date: olcHidden breaks slapcat? possible bug in slapcat(8)?
Index(es):
- Chronological
- Thread