[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
From: Ace Suares <ace@suares.nl>
Date: Thu, 27 Feb 2003 17:52:44 +0400
In-reply-to: <5.2.0.9.0.20030225212355.0285aa90@127.0.0.1>
References: <200302242313.54822.ace@suares.nl> <5.2.0.9.0.20030225212355.0285aa90@127.0.0.1>

HI Kurt,
again, these questions, could you help me with a (real) answer ?

> >> 1. is it normal that these things (whatever they are) need to be defined
> >> by me, the admin (or user if you prefer) ?
> >>
> >> 2. if so, where can I find a list of all the things I need to give ACL's
> >> for ?
{snip}
> >Feb 25 03:10:04 curacao slapd[864]: => access_allowed: search access to
> >"cn=Subschema" "objectClass" requested
>
> Well, what policy are you attempting to implement?

I try to implement a policy based on all the entries I entered. But there seem 
to be more (hidden, unknown) entries, that interfere with my entries and 
ACL's. The rootDSE is one of them. are there more ? What is the full list of 
entries that are made by the system itself and to which of them I should 
grant acces to read, write, search, whatever ?

As you remember, this thread started off with a lot of confusion on my side. I 
am much closer to understanding what is happening now, but I miss this 
essential part of information. I've never heard of 'cn=Subschema' and I 
didn't create it myself. Isn't it only fair that you or anyone else tells me 
what's under the hood ?

And 'use the source, Luke' won't do ;)
I looked at the source but the C-code is for me like a... bulgarian ( I know 
some of it but not enough to survive).

Some critique: I find it strange that my ACL's and my LDIF entries are not the 
only thing I have to think about. Why should I think of the Root DSE ? Fact 
is, without the rootdse access, my ACL's are *not* behaving like they should. 

TIA,

Ace



>
> >So, now I suspect that somewhere a DN 'cn=Subschema' must exist. But, that
> > is not in the root DSE anymore, if I understand this correctly.
>
> The subschema has never been published in the root DSE.  It's
> published in a subschema subentry called (unless you change it)
> "cn=Subschema".
>
> >Do I need to make these dn's or are they 'system' dn's ?
>
> The server always "makes" them...  Whether they are accessible
> or not depends upon what access controls you put in place.

References:
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: Ace Suares <ace@suares.nl>
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Schemas in portuguese
Next by Date: RE: OpenLDAP install issue with SASL
Index(es):
- Chronological
- Thread