[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with RootDSE and Access Controls
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Kapinos wrote:
> I have been using openldap 2.2 w/o issue using only the rootdn and
> allowing anonymous read.
>
> I am now trying to implement access control to allow selective reading
> and writing to OUs in the directory.
>
> The issue I'm having is, apparently I'm not giving enough access to get
> the 'rootDSE'. I can not find anything googling or using faq-o-matic on
> describing exactly which entry this is or what is required for ldap
> clients. Best I can tell is LDAP v3 is supposed to 'advertise' this
> RootDSE, LDAP v2 does not. That's all I can find background wise on
> this.
>
> What I see in practice is, my softtera ldap browser I'm using as a
> control test, complains 'No RootDSE found - probably it is an LDAPv2
> server. Using default schema...'. But it continues on Ok. When this
> happens, my other ldap client implementation freaks.
LDAPv3 clients will most likely want to find out something about your
directory server on connection, such as:
- -where to find the schema
- -what authentication mechanisms are available
- -what controls and extensions are available
without this information, the client may not even be able to decide
whether it should bind or not (or prompt the user for a username, prompt
the user that it may be insecure etc etc).
>
> If I open anonymous access to everything, it works fine. If I have my
> access controls on, I can read/deny the OUs how I want it just fine in
> softera's client, but I always get this rootDSE error which causes my
> second ldap client to freak.. While the softera client rolls back to v2
> ok.
>
> So my question is, what do I have to make the rootdse available?
>
> The base of the directory is dc=tandberg,dc=int
Sure, but it's not the rootDSE, which is "".
>
> I've tried
>
> access to dn.base="dc=tandberg,dc=int" by * read
Something like this should probably be your first ACL:
# The root DIT should be accessible to all clients
access to dn.exact=""
by * read
And, you may also want something like:
# So should the schema
access to dn.exact="cn=Subschema"
by * read
Regards,
Buchan
- --
Buchan Milne Systems Architect
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797),LPIC-1 (LPI000074592)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC9ymprJK6UGDSBKcRAinfAKCNN/3hH6iyKjhNBaOBeBprL9wxqgCfbg1z
qBeCgJ4ATtHlqXEQljKFYpk=
=luW5
-----END PGP SIGNATURE-----