Am Thu, 01 Dec 2011 10:26:32 +0100 schrieb Axel Birndt <[email protected]>:
> Hi Dieter, > > Am 01.12.2011 09:27, schrieb Dieter Klünter: > > Am Wed, 30 Nov 2011 22:05:24 +0100 > > schrieb Axel Birndt<[email protected]>: > > >> Is this security conform? Or it is better to allow only > >> authenticated Users to read this? > >> > >> Are there any best practices for this? > > > > dn.base="" exposes rootDSE which has to be read by any client, so > > this should be anonymous readable, same applies to cn=subschema as > > clients have to know the attribute types and objectclasses > > available. But nobody should have access to schema database, so > > remove rule {1} > > thanks for your hint. > > I changed my rules now to this: > > - for olcDatabase={-1}frontend,cn=config > > {0}to dn.base="" by * read > {1}to dn.base="cn=Subschema" by * read > {2}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > manage by * break > > - for olcDatabase={1}hdb,cn=config > > {0}to attrs=userPassword,shadowLastChange by > dn="cn=admin,dc=2axels-company,dc=ro" write by anonymous auth by self > write by * none > {1}to dn.base="" by * read > {2}to dn.base="cn=Subschema" by * read > {3}to * by dn="cn=admin,dc=2axels-company,dc=de" write by * read > > In my opinion its not needed to have the rule {1} and {2} in the > "olcDatabase={1}hdb,cn=config" section? Right? correct, there is no need for rule {1} and {2}, as this rules are not database specific but belong to the frontend. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
