[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can domain admins be filtered out with ACLs?

To: Igor Shmukler <igor.shmukler@gmail.com>, openldap-technical@openldap.org
Subject: Re: Can domain admins be filtered out with ACLs?
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Thu, 16 Apr 2015 11:38:45 -0700
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.9.2 edge01.zimbra.com C023B44272
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1429209537; bh=o0NWcv8hRssO1yiO66KMuDzNJAYo38NkfD7ecaeKSF4=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=GfQI7Ee82oyjtbuHdCSZfLEqmwfZfjQMQuRJTc4TBB2bQdGITmromAk2BnAJUH6EL 6y1iOR+BS25g77C8+4szKbJJL8ZQtjtCC71bvaLJ1cdHaybuzdSYEuSWmiyRyqmqSK 08bx7doIyW2Mqo4oPQTjEjvLxCr3TpqWk2JF6jm4=
In-reply-to: <CAA1SNA2PyVhnUN1y_WFsAQ-DX1rDD-2w2qe8Ehg15FJrzFE2Hg@mail.gmail.com>
References: <CAA1SNA25iD8CjFDDcCeikiXLfseCgwv06x4kGTW3NmXbtPvs0w@mail.gmail.com> <CAA1SNA2PyVhnUN1y_WFsAQ-DX1rDD-2w2qe8Ehg15FJrzFE2Hg@mail.gmail.com>

--On Thursday, April 16, 2015 9:28 PM +0200 Igor Shmukler<igor.shmukler@gmail.com> wrote:

Hi,

For those, for mind find this thread through google and like me
overwhelmed with information won't understand the documentation.
The RootDN cannot be restricted from having privileges under OpenLDAP
2.4. Hence, ACLs won't do anything for RootDN. This is documented.

From the slapd.access(5) man page:


      Be warned: the rootdn can always read and write EVERYTHING!

From the OpenLDAP 2.4 Admin Guide section on Access Control:


<http://www.openldap.org/doc/admin24/access-control.html>

The default access control policy is allow read by all clients. Regardlessof what access control policy is defined, the rootdn is always allowed fullrights (i.e. auth, search, compare, read and write) on everything andanything.


So, it seems to me, it is quite clearly documented in multiple locations.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Can domain admins be filtered out with ACLs?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: Can domain admins be filtered out with ACLs?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: Re: Can domain admins be filtered out with ACLs?
Next by Date: catch size and performance
Index(es):
- Chronological
- Thread