[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with RootDSE and Access Controls



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Kapinos wrote:
> I have been using openldap 2.2 w/o issue using only the rootdn and
> allowing anonymous read.
> 
> I am now trying to implement access control to allow selective reading
> and writing to OUs in the directory.
> 
> The issue I'm having is, apparently I'm not giving enough access to get
> the 'rootDSE'.  I can not find anything googling or using faq-o-matic on
> describing exactly which entry this is or what is required for ldap
> clients.  Best I can tell is LDAP v3 is supposed to 'advertise' this
> RootDSE, LDAP v2 does not.  That's all I can find background wise on
> this.
> 
> What I see in practice is, my softtera ldap browser I'm using as a
> control test, complains 'No RootDSE found - probably it is an LDAPv2
> server. Using default schema...'.  But it continues on Ok.  When this
> happens, my other ldap client implementation freaks.

LDAPv3 clients will most likely want to find out something about your
directory server on connection, such as:
- -where to find the schema
- -what authentication mechanisms are available
- -what controls and extensions are available

without this information, the client may not even be able to decide
whether it should bind or not (or prompt the user for a username, prompt
the user that it may be insecure etc etc).

> 
> If I open anonymous access to everything, it works fine.  If I have my
> access controls on, I can read/deny the OUs how I want it just fine in
> softera's client, but I always get this rootDSE error which causes my
> second ldap client to freak.. While the softera client rolls back to v2
> ok.
> 
> So my question is, what do I have to make the rootdse available?
> 
> The base of the directory is  dc=tandberg,dc=int

Sure, but it's not the rootDSE, which is "".

> 
> I've tried 
> 
> access to dn.base="dc=tandberg,dc=int" by * read  

Something like this should probably be your first ACL:

# The root DIT should be accessible to all clients
access to dn.exact=""
        by * read

And, you may also want something like:

# So should the schema
access to dn.exact="cn=Subschema"
        by * read


Regards,
Buchan

- --
Buchan Milne                              Systems Architect
Obsidian Systems                  http://www.obsidian.co.za
B.Eng          RHCE (803004789010797),LPIC-1 (LPI000074592)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC9ymprJK6UGDSBKcRAinfAKCNN/3hH6iyKjhNBaOBeBprL9wxqgCfbg1z
qBeCgJ4ATtHlqXEQljKFYpk=
=luW5
-----END PGP SIGNATURE-----