[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema not available with restrictive ACLs



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I think you should give access to the root dn

like this (as the first ACL):

access to ""
	by * read

It bugged my head quite a time and I asked a couple of times on this list a 
year ago or so and got no answers :-)

_Ace


> Um, hmm, not sure what to say. I did try it (and found the problem) and did
> post it. :)
>
> Here it again, just in case:
>
> access to attrs=userPassword
>         by * auth
>
> access to dn=".*,ou=People,dc=example,dc=com"
>         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
>         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
>         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
>
> These ACLs don't allow tools such as LDAP Administrator to view the schema.
> It seems some tools want to view the schema anonymously.
>
> So my question all boiled down to if there was a:
>
> access to schema
>     by * read
>
> Style solution? Or another way that I need to approach this? Or do I just
> resign myself to not allowing anyone view the schema if I want to lock down
> access to our directory using auth-only users.
>
> I was looking for a solution. I'm not aware of one, and don't see one in
> the manpages.
>
> Thanks!
>
> ----- Original Message -----
> From: "Tony Earnshaw" <tonye@billy.demon.nl>
> To: "Openldap list" <openldap-software@OpenLDAP.org>
> Sent: Sunday, May 16, 2004 1:50 PM
> Subject: Re: Schema not available with restrictive ACLs
>
> > søn, 16.05.2004 kl. 18.04 skrev adp:
> > > I should have made more clear that "access to schema" was entirely made
>
> up
>
> > > by me. I know that is really invalid. I was just trying to make it
> > > clear what I wanted to do. AD lets you do this for example. You can
> > > access the schema, but anything past that requires authentication.
> > >
> > > Hmm.. time to rephrase I think.
> > >
> > > My question can be summed up as this: How can I ensure all applications
>
> can
>
> > > access my schema while still restricting access to everything in my
> > > LDAP directory to auth users only?
> >
> > Why not just get stuck in and do it? When it doesn't work and you've
> > read all the man pages, archives, FAQs and Internet/archive stuff that
> > you can and it then still doesn't work, say what didn't work, and post
> > here :) I just had to "invent" a working ACL/schema for a new
> > authentication/ SASL smtp/IMAP mail/ SASL Openldap conglomeration for a
> > largish high school and hadn't got the faintest idea of what actually
> > was going to /work/ until before I'd drawn it all up and then tried it
> > out in practice. Turned out a couple of things needed a completely
> > different approach than I'd thought in the first place, but I wouldn't
> > have found out if I hadn't tried it out.
> >
> > Best,
> >
> > --Tonni
> >
> > --
> >
> > We make out of the quarrel with others rhetoric
> > but out of the quarrel with ourselves, poetry.
> >
> > mail: billy - at - billy.demon.nl
> > http://www.billy.demon.nl

- -- 
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAp8suy7boE8xtIjURAsDjAJ0dbh1ZBBZCMFBGWV/nAfLC5Oq9+wCcDrRS
6pnoXAiOO8rfEtOQQk5M2sI=
=k6GU
-----END PGP SIGNATURE-----