[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs applying to RootDSE

To: "Buchan Milne" <bgmilne@obsidian.co.za>
Subject: Re: ACLs applying to RootDSE
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 2 Nov 2004 18:11:16 +0100 (CET)
Cc: matt.smith@uconn.edu, openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <4187B9A8.90400@obsidian.co.za>
References: <1099410226.24926.36.camel@d80h243> <4187B9A8.90400@obsidian.co.za>
User-agent: SquirrelMail/1.4.3a-1

> Define those ACLs before any database definition ...
>
> ie:
>
> [ assuming the rest of the config file such as schemas is above]
>
> access to dn.exact=""
>          by * read
>
> access to dn.subtree="cn=Subschema"
>          by * read
>
> database bdb
>
> [continue database definitions]

I'm afraid this is not enough, because if the first database related ACLs
contain a catchall like

database bdb
suffix "dc=example,dc=com"
access to *
    by users read
# implying "by * none"

then the global ACLs are never reached.  All ACLs of first database must
be scoped to allow reaching the global ones (and all per-database ACLs
should, for clarity and consistency)

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ACLs applying to RootDSE
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: ACLs applying to RootDSE
  - From: Buchan Milne <bgmilne@obsidian.co.za>

Prev by Date: Re: proxycache with error 'no objectClass attribute'
Next by Date: Re: ACLs applying to RootDSE
Index(es):
- Chronological
- Thread