Re: Access to Schema

[Ron Parker <sysop@scbbs.com>]

Yes, you are correct.  When I use this access control

access to dn="cn=Subschema" by * read
access to dn.subtree="cn=Subschema" by * read
(don't know which one works, but one of them does)

and search Subschema locally as a user:

ldapsearch -H "ldap://example.com"; -D 
'cn=Ron,ou=Zimbra,dc=example,dc=com' -x -W -b "cn=Subschema" -s base 
"objectclass=Subschema"

I get the expected results.  However, when I click on the "Schema" tab 
in the client I'm using, I get nothing.  So, I need to find out what the 
actual search being executed is and go from there.

Thank you for your assistance.

-ron

Aaron Richton wrote:

> OpenLDAP test000-rootdse searches cn=Subschema as an anonymous user. 
> Maybe you could start there as your example?
>
> I really doubt that anything "happens automatically"; that's not in 
> the protocol. If you turn on stats/stats2 debug level, you'll likely 
> see that your rootDN-configured client is executing some flavor of 
> search. If you're suspecting acl, you can turn on acl debug level.
>
> On Tue, 17 Jul 2007, Ron Parker wrote:
>
> > I don't know what I mean.  I've searched the Internet for "access to 
> > schema" and can't seem to find an answer that works for what I'm 
> > trying to do.
> >
> > What I want to do is, when a user logs in, to allow the ldap client 
> > to read the schema for the server.  This happens automatically when 
> > the rootdn logs in, but apparently I have to explicity create access 
> > control for a user's client to read the schema.
> >
> > From the examples I've been able to locate and understand, I've tried 
> > the following:
> >
> > access to dn="cn=subschema" by * read
> > access to dn.base="cn=Subschema" by * read
> > access to dn.subtree="cn=Subschema" by * read
> >
> > but none appear to work.  Apparently, I need another example of 
> > exactly what I'm trying to do, which I don't seem able to locate.
> >
> > Thanks!
> >
> > -ron
> >
> > Aaron Richton wrote:
> >
> > > Is this what you mean, or do you mean cn=Subschema? (And note that 
> > > that's not under "dc=example,dc=com." Search the list archive for 
> > > examples.)
> > >
> > > On Tue, 17 Jul 2007, Ron Parker wrote:
> > >
> > > > Now that I can log in as a user: How do I give a user access to 
> > > > schema? This is what I'm trying now (but not working):
> > > >
> > > > access to dn.subtree="cn=schema,dc=example,dc=com"
> > > >       by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read
> > > >
> > > > What am I missing?  Thanks!
> > > >
> > > > -ron
> > > >
> > > > --
> > > > Ron Parker
> > > > Software Creations               http://www.scbbs.com
> > > > Self-Administration Web Site     http://saw.scbbs.com
> > > > SDSS Subscription Mgmt Service   http://sdss.scbbs.com
> > > > Central Ave Dance Ensemble       http://www.centralavedance.com
> > > > R & B Salsa                      http://www.randbsalsa.com
> > >
> > > __________ NOD32 2403 (20070717) Information __________
> > >
> > > This message was checked by NOD32 antivirus system.
> > > http://www.eset.com
> >
> >
> > --
> > Ron Parker
> > Software Creations               http://www.scbbs.com
> > Self-Administration Web Site     http://saw.scbbs.com
> > SDSS Subscription Mgmt Service   http://sdss.scbbs.com
> > Central Ave Dance Ensemble       http://www.centralavedance.com
> > R & B Salsa                      http://www.randbsalsa.com
>
> __________ NOD32 2403 (20070717) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com


--
Ron Parker
Software Creations               http://www.scbbs.com
Self-Administration Web Site     http://saw.scbbs.com
SDSS Subscription Mgmt Service   http://sdss.scbbs.com
Central Ave Dance Ensemble       http://www.centralavedance.com
R & B Salsa                      http://www.randbsalsa.com