--On Tuesday, June 2, 2020 8:03 PM +0200 Jehan PROCACCIA
<[email protected]> wrote:
From: "Quanah Gibson-Mount" <[email protected]>
olcAccess: {1}to dn.base="" by * read
This is an ACL that is meant to go into the frontend DB, not the primary
DB.
I remembered set that one so that ApacheDirectoryStudio (or other GUI)
could read the RootDSE, but now you make me wonder ...?
It's not a bad ACL, it's just in the wrong place, which is why I mentioned
the frontend DB.
ACL{2} is dn.base not subtree :
olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read
Yeah, I misread that one, sorry. :) So the rest of the ACLs look fine.
Generally for the frontend DB, you see something like:
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.subtree="cn=Subschema" by * read
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
