John Du wrote:
I fixed the two problems.
Problem one was fixed by adding an "access to dn.subtree="cn=SubSchema by * read".
This should be sufficient since the subschema subentry is a single entry:
access to dn.base="cn=Subschema" by * read
I thought the root DN is not subject any access control rules but that does not seem to be the case.
Indeed no ACLs are applied when effectively binding as rootdn. What makes you think that this is not the case.
I do not understand why I have to add the index for the new server but not for the old one.
The problem is if you added an index directive to slapd.conf but did not re-index slapd looks into the index database file and the old entries are not there yet. So the entry is not returned as search result. This might make you think that access control prevents the entry from being returned.
Also be sure that all the database files have the right ownership/permissions when manually re-indexing them.
Ciao, Michael.