[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL EXTERNAL olcRootDN and ACLs
- To: openldap-technical@openldap.org
- Subject: SASL EXTERNAL olcRootDN and ACLs
- From: linux nuse <nuse.linux@yandex.com>
- Date: Thu, 27 Sep 2018 01:41:43 +0300
- Authentication-results: smtp3p.mail.yandex.net; dkim=pass header.i=@yandex.com
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1538001704; bh=mrAk5Vnns4Pl36jOOepRK+Xu3aR6NITtq04nBk22cvI=; h=To:From:Subject:Message-ID:Date; b=ffmxJ/AFF+8OWAg3O5Jx1DdpL1KbVA5qVWIdVJRm6a38OU5zDBPoN4imVy9bPKIwS EjwtgrfqmJSriDGX5xznELW953wtWCgF/XbrOcxqRqshWUH3YJcFzu1IRSFCjP3gbj OVZsImySMypcWelTtMwJbasej8PWm/7ileUQS764=
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1538001703; bh=mrAk5Vnns4Pl36jOOepRK+Xu3aR6NITtq04nBk22cvI=; h=To:From:Subject:Message-ID:Date; b=HVjVrd/9VSn0XW3R2XoyFZqUb8mAPc8fXlRgDHN57Ica3xjPyBpbmPY24drefZLT6 ZBM+OmpakIQskb+dT8ObwvY9h1vXPXI/1x33gQdsdXc4OJzVXmzjV2rY7+9hww3LfF TMIIDvDq60kCluCPo9mGd9K4lNtTgRpb2A53AO7U=
https://www.openldap.org/doc/admin24/access-control.html says:
Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.
As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses.
"Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth.
Then I've tried to add an entry with
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// ....
and OpenLDAP told that I don't have permission to modify the DB.
I had to grant gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth access to everything in the backend's ACL to make it working.
Is it expected that gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth rootdn does not have full rights without explicit permission or I need to recheck because I could get something wrong (didn't restart slapd or something like that)?