On 5/22/06, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
> Care to share the ACL you're using? I've tried both of these:
In the global section (before any "database" lines), first access line:
access to dn.exact=""
attrs=supportedSASLMechanisms
by * none
So with that in place, I lose access to any of the other
configuration-related entries. For example, some of the GUI LDAP
tools (e.g., JXplorer) want to use the data from subschemaSubentry to
find the available objectClasses (by looking in cn=Subschema).
Clearly I can fix this by making the very next line after the above
ACL something like this:
access to dn.subtree=""
by * read
However, that's a little disconcerting. What are the default
permissions on this "metadata" section of the tree? Is 'by * read' a
reasonable choice?