Quanah Gibson-Mount wrote:
> --On Friday, January 22, 2010 8:28 AM +1100 Alex Samad <a...@samad.com.au>
> wrote:
>
>> On Thu, Jan 21, 2010 at 12:03:32PM +0100, Jonathan Clarke wrote:
>>> On 01/20/2010 07:17 AM, Alex Samad wrote:
>>>> Hi
>>>>
>>>> I was wonder were do I place acl for cn=Subschema as there doesn;t
>>>> seems to be a db defined for it or is it the same as cn=schmea ?
>>>
>>> Regardless of which database it is attached to, you can define any
>>> ACLs in the global section of the configuration file (before any
>>> database declarations).
>>
>> I am using cn=config/dynamic config so I am not using any slapd.conf.
>>
>> from my reading of slapd-config I gather this is not the same,
>>
>> cause I can put it in olcDatabase=frontend,cn=config which is like a
>> default and the man page seems to suggest that you put acl's with the
>> db's they are mean to control (although now that I re read it, it seems
>> like the acl's are all meant to be in the frontend db).
>
> There are still global level ACLs that don't apply to a database. Like
> cn=subschema.
>
> For example in my DB:
>
> [r...@freelancer cn=config]# grep olcA olcDatabase\=\{-1\}frontend.ldif
> olcAccess: {0}to * by dn.children="cn=admins,cn=zimbra" write by * +0
> break
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.base="cn=subschema" by * read
Just to clarify - what used to be considered "global" for a lot of these
settings is now owned by the frontendDB, ever since OpenLDAP 2.3.
Now (since 2.3) "global" settings are only those which affect the entire slapd
environment - such as loglevel, number of threads, etc.
ACLs, and other settings which affect particular database operations, are all
associated to a specific DB. "Global ACLs" are those which are configured on
the frontendDB.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
