Re: Connection failures from OS X, appears to be TLS-related

[Howard Chu <hyc@symas.com>]

Ben Beuchler wrote:
> On 5/22/06, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
> > > Care to share the ACL you're using?  I've tried both of these:
> >
> > In the global section (before any "database" lines), first access line:
> >
> > access to dn.exact=""
> >         attrs=supportedSASLMechanisms
> >         by * none
>
> So with that in place, I lose access to any of the other
> configuration-related entries.  For example, some of the GUI LDAP
> tools (e.g., JXplorer) want to use the data from subschemaSubentry to
> find the available objectClasses (by looking in cn=Subschema).
>
> Clearly I can fix this by making the very next line after the above
> ACL something like this:
>
> access to dn.subtree=""
>        by * read
>
> However, that's a little disconcerting.  What are the default
> permissions on this "metadata" section of the tree?  Is  'by * read' a
> reasonable choice?
Use access to dn.exact="" instead; dn.subtree="" means everything on the 
server.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/