ben thielsen <[email protected]> writes: >>>> dn: olcDatabase={-1}frontend,cn=config >>>> olcDatabase: {-1}frontend >>>> olcAccess: {0}to * by >>>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by >>>> * break >>> >>> this rule only allows root to access rootDSE via local socket, that is >>> ldapi:/// >>> that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base + >>> >>> [...] >> >> thank you - that explains it. i'm left wondering how those acls for >> frontend and config got there - i don't recall ever explicitly setting them. >> slapd isn't listening on a local socket, which would render them quite >> useless, right?
This is probably the default configutration of ubuntu. In order to connect to slapd via a local socket, just add ldapi:/// to the init script. >> on a related note, regarding the frontend database - reading a bit >> in the admin guide, my understanding is that the frontend database >> is the appropriate location for such acls as olcAccess: to >> dn.base="" by * read - is this correct? i've done this, and the >> behavior is now as i expect, but just curious about typical >> practices. Yes, this is correct. > > i've found this comment - > http://www.mail-archive.com/[email protected]/msg00491.html - > which would seem to confirm my understanding of the frontend database as it > relates to acls.= -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
