Re: requesting clarification of use of config backend

Mon, 12 Sep 2005 16:00:29 -0700 

For docs, see http://www.openldap.org/doc/admin23/slapdconf2.html
It is redundant to list the rootdn in any ACL clause; the rootdn always has full privileges and ignores all ACLs. Listing the rootdn merely makes ACL evaluation slower for regular users.
The order of directives in your slapd.conf snippets is wrong. The "rootdn" directive must follow the relevant "database" directive if you want it to apply to a particular database.
The config database currently does not honor ACLs; it is hardcoded to only allow access to the rootdn.
There is an outstanding bug in 2.3.7 related to quoting/escaping values in config directives. This bug has been fixed in HEAD. (ITS#3807) It's likely that this bug will cause your ACL definitions to be parsed incorrectly. You can pull the latest version of slapd/bconfig.c and slapd/config.c from CVS to test. 

Brian Reichert wrote:

I've recently begun to explore the config backend for OpenLDAP 2.3.7, and
and running into what appears to be an ACL issue, but I can't figure out
what I've done wrong, nor how to explore further.

What I think are pertinent snippets from my slapd.conf:

  rootdn          "cn=manager,com=foo"

  database config

  defaultaccess none
  access to dn.subtree="cn=config"
                     by dn.exact="cn=manager,com=foo" write
                     by * read

I created my slapd.d directory:

  # mkdir -p /etc/openldap/slapd.d
  # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  # mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.test
  # chown -R  ldap:ldap  /etc/openldap/slapd.d/
slapd.d does seem to be fully populated, and slapd was successfully 
restarted.  But, when I attempt to search this database:

  # ldapsearch -x -LLL -D cn=manager,com=foo -w foobar \
      -b cn=config > /var/tmp/ldif.out
  Insufficient access (50)

Does anyone see anything obviously wrong here?  I had several
databases with identical ACLs, which I can search, so I know I have
my credentials right.

Running the server and ldapsearch with '-d -1' doesn't reveal
anything like UNIX permission errors.

Alas, I could not find a manpage for slapd.d, nor slapd-config, so
I'm running blind, here...

I'd appreciate any feedback you folks can provide.

--
Brian Reichert                          <[EMAIL PROTECTED]>
55 Crystal Ave. #286                    Daytime number: (603) 434-6842
Derry NH 03038-1725 USA                 BSD admin/developer at large    

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

Reply via email to