Re: Solved: Re: Possible ACL Issue while try to read Root DSE

[Dieter KlÃnter <dieter@dkluenter.de>]

Am Wed, 30 Nov 2011 22:05:24 +0100
schrieb Axel Birndt <towerlexa@gmx.de>:

> Hi @all & thanks for your help!
> 
> Am 29.11.2011 12:28, schrieb Axel Birndt:
> >
> >
> > Am 29.11.2011 10:10, schrieb Ondrej Kuznik:
> >
> >> On 11/29/2011 09:13 AM, Axel Birndt wrote:
> >> You should expect a response exactly like this (unless your
> >> database suffix is set to ""):
> >>
> >> ldapsearch -x -D "" -s base -b "" -h localhost
> >
> > ldapsearch -x -D "" -s base -b "" -h localhost
> 
> Now its working for me. I added the following ACL's in
> 
> olcDatabase={-1}frontend,cn=config
> 
> {0}to dn.base="" by * read
> {1}to dn.base="cn=schema,cn=config" by * read
> {2}to dn.base="cn=Subschema" by * read
> 
> But, does the first rule meaning, that everone could read all in this 
> frontend??
> 
> Is this security conform? Or it is better to allow only authenticated 
> Users to read this?
> 
> Are there any best practices for this?

dn.base="" exposes rootDSE which has to be read by any client, so this
should be anonymous readable, same applies to cn=subschema as clients
have to know the attribute types and objectclasses available.
But nobody should have access to schema database, so remove rule {1}

-Dieter 

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E