[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Solved: Re: Possible ACL Issue while try to read Root DSE
Am Wed, 30 Nov 2011 22:05:24 +0100
schrieb Axel Birndt <towerlexa@gmx.de>:
> Hi @all & thanks for your help!
>
> Am 29.11.2011 12:28, schrieb Axel Birndt:
> >
> >
> > Am 29.11.2011 10:10, schrieb Ondrej Kuznik:
> >
> >> On 11/29/2011 09:13 AM, Axel Birndt wrote:
> >> You should expect a response exactly like this (unless your
> >> database suffix is set to ""):
> >>
> >> ldapsearch -x -D "" -s base -b "" -h localhost
> >
> > ldapsearch -x -D "" -s base -b "" -h localhost
>
> Now its working for me. I added the following ACL's in
>
> olcDatabase={-1}frontend,cn=config
>
> {0}to dn.base="" by * read
> {1}to dn.base="cn=schema,cn=config" by * read
> {2}to dn.base="cn=Subschema" by * read
>
> But, does the first rule meaning, that everone could read all in this
> frontend??
>
> Is this security conform? Or it is better to allow only authenticated
> Users to read this?
>
> Are there any best practices for this?
dn.base="" exposes rootDSE which has to be read by any client, so this
should be anonymous readable, same applies to cn=subschema as clients
have to know the attribute types and objectclasses available.
But nobody should have access to schema database, so remove rule {1}
-Dieter
--
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E