Ben Beuchler wrote:
On 5/22/06, Aaron Richton <[EMAIL PROTECTED]> wrote:
> Care to share the ACL you're using? I've tried both of these:
In the global section (before any "database" lines), first access line:
access to dn.exact=""
attrs=supportedSASLMechanisms
by * none
So with that in place, I lose access to any of the other
configuration-related entries. For example, some of the GUI LDAP
tools (e.g., JXplorer) want to use the data from subschemaSubentry to
find the available objectClasses (by looking in cn=Subschema).
Clearly I can fix this by making the very next line after the above
ACL something like this:
access to dn.subtree=""
by * read
However, that's a little disconcerting. What are the default
permissions on this "metadata" section of the tree? Is 'by * read' a
reasonable choice?
Use access to dn.exact="" instead; dn.subtree="" means everything on the
server.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
