[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#5625) memberOf search ACLs
Full_Name: Andrew Bartlett
Version: CVS HEAD
OS: Fedora 9
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (59.167.251.137)
>From thread on opendlap-technical:
> Hmm, I have the module loaded globally - perhaps I need a global rootdn
> of some kind defined?
>
> I have one per-database (now), but the documentation strongly encourages
> one not to have a rootdn at all.
The fix was to define rootdn globally (as the module operates globally),
and then to give it explicit manage access in an ACL. eg
access to dn.subtree="${DOMAINDN}"
by dn=cn=samba-admin,cn=samba manage
by dn=cn=manager manage
by * none
rootdn cn=Manager
Adding a rootdn to each database then quashed the warnings about 'rootdn
can always manage'.
Otherwise, if I had 'by * read' then this also allowed the module to operate
correctly (but without the secrecy I desired)