[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rootdn and ACI

To: ando@sys-net.it
Subject: Re: rootdn and ACI
From: Saket Sathe <saket@cc.iitb.ac.in>
Date: Wed, 30 Mar 2005 19:16:31 +0530
Cc: openldap-software@OpenLDAP.org
In-reply-to: <33640.131.175.154.56.1112188790.squirrel@131.175.154.56>
References: <424A9A34.9080404@cc.iitb.ac.in> <33640.131.175.154.56.1112188790.squirrel@131.175.154.56>
User-agent: Mozilla Thunderbird 0.7.1 (X11/20040626)

Pierangelo Masarati wrote:

Hi, If I bind using rootdn do I bypass all the ACIs that are present in

slapd.conf ?

ACI (at least in OpenLDAP's slapd jargon) indicate a specific access
control means, based on data held insite the objects access is checked
for.  Usually access control in general is indicated as ACL.

I have some confusion regarding this, some clarification will surely

help.

Yes, if you bind as the rootdn of a database, and check access to objects
belonging to that database, access control is short-circuited, and the ACL
rules are not checked.

You didn't mention what version of the sofware you're using, but as far as
I can tell this has always been true.

I have an ACL like: access to dn.regex="uid=[^,]+,ou=[^,]+,ou=([^,]+),ou=People,dc=iitb,dc=ac,dc=in$" attrs=mailHost by ... *other requesters (part omitted to maintain clarity)* by anonymous auth by users read

Now if I bind using rootdn, I am not able to read the 'mailHost' attribute. My rootdn is cn=Manager,dc=iitb,dc=ac,dc=in. I am using OL 2.2.24. Shall I post all my ACLs ?

--
Saket.

Follow-Ups:
- Re: rootdn and ACI
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- rootdn and ACI
  - From: Saket Sathe <saket@cc.iitb.ac.in>
- Re: rootdn and ACI
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: number of all entries of a LDAP server
Next by Date: Re: syncrepl 2.3.2beta
Index(es):
- Chronological
- Thread