[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=Subschema and acl

To: openldap-technical@openldap.org
Subject: Re: cn=Subschema and acl
From: Howard Chu <hyc@symas.com>
Date: Thu, 21 Jan 2010 17:40:05 -0800
In-reply-to: <20100121224007.GK16440@samad.com.au>
References: <20100120061701.GA28349@samad.com.au> <4B583484.3020006@phillipoux.net> <20100121212852.GH16440@samad.com.au> <20100121224007.GK16440@samad.com.au>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.3a1pre) Gecko/20100115 SeaMonkey/2.0a1pre Firefox/3.0.3

Alex Samad wrote:
> On Fri, Jan 22, 2010 at 08:28:52AM +1100, Alex Samad wrote:
>> On Thu, Jan 21, 2010 at 12:03:32PM +0100, Jonathan Clarke wrote:
>>> On 01/20/2010 07:17 AM, Alex Samad wrote:
>>>> Hi
>>>>
>>>> I was wonder were do I place acl for cn=Subschema as there doesn;t seems
>>>> to be a db defined for it or is it the same as cn=schmea ?
>>>
>>> Regardless of which database it is attached to, you can define any
>>> ACLs in the global section of the configuration file (before any
>>> database declarations).
>>
>> I am using cn=config/dynamic config so I am not using any slapd.conf.
>>
>> from my reading of slapd-config I gather this is not the same,
>>
>> cause I can put it in olcDatabase=frontend,cn=config which is like a
>> default and the man page seems to suggest that you put acl's with the
>> db's they are mean to control (although now that I re read it, it seems
>> like the acl's are all meant to be in the frontend db).
> 
> More investigation from 
> 
> http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration
> 
> When evaluating whether some requester should be given access to an
> entry and/or attribute, slapd compares the entry and/or attribute to the
> <what> selectors given in the configuration. For each entry, access
> controls provided in the database which holds the entry (or the global
> access directives if not held in any database) apply first, followed by
> the global access directives (which are held in the frontend database
> definition). However, when dealing with an access list, because the
> global access list is effectively appended to each per-database list, if
> the resulting list is non-empty then the access list will end with an
> implicit access to * by * none directive. If there are no access
> directives applicable to a backend, then a default read is used.
> 
> so to me it read
> 
> database acl first
> frontend acl's
> 
> so is it best practice to put everything in the frontend ?

Only if your entire ACL config is meant to apply uniformly to all the
databases in the server. Usually that won't be the case; people tend to create
multiple databases because different parts of their DIT need different settings.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- cn=Subschema and acl
  - From: Alex Samad <alex@samad.com.au>
- Re: cn=Subschema and acl
  - From: Jonathan Clarke <jonathan@phillipoux.net>
- Re: cn=Subschema and acl
  - From: Alex Samad <alex@samad.com.au>
- Re: cn=Subschema and acl
  - From: Alex Samad <alex@samad.com.au>

Prev by Date: Re: cn=Subschema and acl
Next by Date: olcaccess question
Index(es):
- Chronological
- Thread