[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs applying to RootDSE

To: matt.smith@uconn.edu
Subject: Re: ACLs applying to RootDSE
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 02 Nov 2004 19:41:35 +0100
Cc: openldap-software@OpenLDAP.org
References: <1099410226.24926.36.camel@d80h243> <56484.131.175.154.56.1099414156.squirrel@131.175.154.56> <1099418690.24926.56.camel@d80h243>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Matthew J. Smith wrote:

Thank you all for the replies!  I actually have been using the
dn.subtree syntax on each ACL, which works great.  Right now, I am the
only admin of this system, so this is simple.  However, as a few more
admins get involved, with their own suffixes/databases, I'd like to give
them their own db-xyz.acl file, included in slapd.conf for their
database.  I trust them to not do anything malicious on purpose -- but I
also want to safeguard against them simply reading something from
google, and implementing a "access to * by * write", for example, and
having that affect RootDSE and Schema.

This may only happen within the first database instance.

For now, I may just give them their own instances of OpenLDAP, running on a different URI.

I think this is wise, since global config directives can still appear inside database definitions, so leaving too much freedom could result in unexpected behavior for other reasons as well.

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ACLs applying to RootDSE
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: ACLs applying to RootDSE
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACLs applying to RootDSE
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>

Prev by Date: Re: ACLs applying to RootDSE
Next by Date: Auto-detecting base DN?
Index(es):
- Chronological
- Thread