[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
schema access must not be crontrolled by ACL (ITS#2706)
Full_Name: suomi hasler
Version: openldap-2.1.22-1
OS: Linux 2.4.19-4GB
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (195.141.97.126)
i am intending to use LDAP for nss purpose. to this aim, i install as
restrictive ACLs as possible. But when i installed the following ACL:
access to *
by dn="cn=suomi,ou=pam-ldap,dc=ayni,dc=com" write
by dn="cn=manager,dc=ayni,dc=com" write
by self write
by anonymous none
i could not even read such basic things as the namingcontext and the schema any
more.
rfc 2251 says (3.2.2)
Servers which follow X.500(93) models SHOULD implement subschema
using the X.500 subschema mechanisms, and so these subschemas are not
ordinary entries. LDAP clients SHOULD NOT assume that servers
implement any of the other aspects of X.500 subschema. A server
which masters entries and permits clients to modify these entries
MUST implement and provide access to these subschema entries, so that
its clients may discover the attributes and object classes which are
permitted to be present. It is strongly recommended that all other
servers implement this as well.
that lets me think that entries like the namingcontext and the schema must not
be protected by ACL.