[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: requesting clarification of use of config backend

To: Brian Reichert <reichert@numachi.com>
Subject: Re: requesting clarification of use of config backend
From: Howard Chu <hyc@symas.com>
Date: Mon, 12 Sep 2005 15:47:12 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20050912154147.GF52059@numachi.com>
References: <20050912154147.GF52059@numachi.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050909 SeaMonkey/1.1a

For docs, see http://www.openldap.org/doc/admin23/slapdconf2.html

It is redundant to list the rootdn in any ACL clause; the rootdn always has full privileges and ignores all ACLs. Listing the rootdn merely makes ACL evaluation slower for regular users.

The order of directives in your slapd.conf snippets is wrong. The "rootdn" directive must follow the relevant "database" directive if you want it to apply to a particular database.

The config database currently does not honor ACLs; it is hardcoded to only allow access to the rootdn.

There is an outstanding bug in 2.3.7 related to quoting/escaping values in config directives. This bug has been fixed in HEAD. (ITS#3807) It's likely that this bug will cause your ACL definitions to be parsed incorrectly. You can pull the latest version of slapd/bconfig.c and slapd/config.c from CVS to test.

Brian Reichert wrote:

I've recently begun to explore the config backend for OpenLDAP 2.3.7, and
and running into what appears to be an ACL issue, but I can't figure out
what I've done wrong, nor how to explore further.
What I think are pertinent snippets from my slapd.conf:
  rootdn          "cn=manager,com=foo"
  database config
  defaultaccess none
  access to dn.subtree="cn=config"
                     by dn.exact="cn=manager,com=foo" write
                     by * read
I created my slapd.d directory:
# mkdir -p /etc/openldap/slapd.d # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d # mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.test # chown -R ldap:ldap /etc/openldap/slapd.d/ slapd.d does seem to be fully populated, and slapd was successfully restarted. But, when I attempt to search this database:
  # ldapsearch -x -LLL -D cn=manager,com=foo -w foobar \
      -b cn=config > /var/tmp/ldif.out
  Insufficient access (50)
Does anyone see anything obviously wrong here?  I had several
databases with identical ACLs, which I can search, so I know I have
my credentials right.
Running the server and ldapsearch with '-d -1' doesn't reveal
anything like UNIX permission errors.
Alas, I could not find a manpage for slapd.d, nor slapd-config, so
I'm running blind, here...
I'd appreciate any feedback you folks can provide.
-- Brian Reichert <reichert@numachi.com> 55 Crystal Ave. #286 Daytime number: (603) 434-6842 Derry NH 03038-1725 USA BSD admin/developer at large

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: requesting clarification of use of config backend
  - From: Brian Reichert <reichert@numachi.com>
- Re: requesting clarification of use of config backend
  - From: Andreas Hasenack <ahasenack@terra.com.br>

References:
- requesting clarification of use of config backend
  - From: Brian Reichert <reichert@numachi.com>

Prev by Date: Re: slapd stops processing searches
Next by Date: Re: Re: backends LDAP and META
Index(es):
- Chronological
- Thread