Full_Name: Andrew Findlay Version: HEAD 2008-12-05 OS: SuSE 10.2 URL: Submission from: (NULL) (88.97.25.132)
Some ACL behaviours do not match slapd.access(5).
slapd.access(5) says:
For entries not held in any backend (such as a root DSE), the directives of the first backend (and any global directives) are used.
I created a slapd.conf where the global ACL was: access to * by * none and the single BDB backend had acls: access to dn.exact="" by * read access to dn.exact="cn=nonesuch" by * read
The anon user could not read the root DSE: ldapsearch -LLL -H ldap://localhost:1389/ -b '' -s base -x '(objectclass=*)' +
I next moved the root access clause to the global section: access to dn.exact="" by * read access to * by * none The BDB backend now had this ACL: access to dn.exact="cn=nonesuch" by * read
Anon was now able to read the root DSE. Thus it appears that the root DSE is controlled by the global ACL but not by the first backend ACL.
My feeling is that the behaviour is right and the manpage needs updating. The Admin Guide has similar statements in 7.2.4 and 7.3.4.
The complete slapd.conf file follows for reference: ------------------------------------------------------------------------------- # Logging - this goes to syslog as 'local4' # # 512+256 to enable stats logging # loglevel 768
# Schema definitions # include ../../etc/schema/core.schema include ../../etc/schema/cosine.schema include ../../etc/schema/inetorgperson.schema
# These should have absolute pathnames on production systems pidfile ./slapd.pid argsfile ./slapd.args
######################################################################## # Default ACL ########################################################################
access to * by * none
######################################################################## ####################################################################### # The main database ####################################################################### ########################################################################
database bdb suffix "dc=example,dc=org" rootdn "cn=root,dc=example,dc=org"
password-hash {SSHA}
# rootpw password
# The database directory MUST exist prior to running slapd AND # should only be accessable by the slapd/tools. Mode 700 recommended. # This should be an absolute pathname on production servers. # directory ./openldap-db
# Entry cache size # cachesize 4000
# How often we force a checkpoint on the underlying database # kilobytes and seconds # checkpoint 128 300
######################################################################## # Indices to maintain ########################################################################
index objectClass eq
######################################################################## # ACLs for this database ########################################################################
access to dn.exact="" by * read access to dn.exact="cn=nonesuch" by * read