[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema not available with restrictive ACLs



Hi again! I was working to clamp down on our openldap server with ACLs and
noticed that some tools that expect to see the schema from the LDAP server
(I believe this is always made available to an LDAP client, even when using
an anon. bind) failed. Is there a way I can stop anon. connections but still
allow schema viewing?

Our ACLs basically consists of this:

access to attrs=userPassword
        by * auth

access to dn=".*,ou=People,dc=example,dc=com"
        by dn="uid=app,ou=Accounts,dc=example,dc=com" write
        by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
        by dn="uid=app3,ou=Accounts,dc=example,dc=com" read

I read the slapd.conf manpage and I didn't see anything specific to ACLs and
schemas.

I was thinking of something along the lines of:

access to schema
        by * read

access to attrs=userPassword
        by * auth

access to dn=".*,ou=People,dc=example,dc=com"
        by dn="uid=app,ou=Accounts,dc=example,dc=com" write
        by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
        by dn="uid=app3,ou=Accounts,dc=example,dc=com" read