>>> dn: olcDatabase={-1}frontend,cn=config
>>> olcDatabase: {-1}frontend
>>> olcAccess: {0}to * by
>>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
>>> * break
>>
>> this rule only allows root to access rootDSE via local socket, that is
>> ldapi:///
>> that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +
>>
>> [...]
>
> thank you - that explains it. i'm left wondering how those acls for frontend
> and config got there - i don't recall ever explicitly setting them. slapd
> isn't listening on a local socket, which would render them quite useless,
> right?
> on a related note, regarding the frontend database - reading a bit in the
> admin guide, my understanding is that the frontend database is the
> appropriate location for such acls as olcAccess: to dn.base="" by * read - is
> this correct? i've done this, and the behavior is now as i expect, but just
> curious about typical practices.
i've found this comment -
http://www.mail-archive.com/[email protected]/msg00491.html -
which would seem to confirm my understanding of the frontend database as it
relates to acls.
