Now that I can log in as a user: How do I give a user access to schema? This is what I'm trying now (but not working):
access to dn.subtree="cn=schema,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read
What am I missing? Thanks!
-ron
Is this what you mean, or do you mean cn=Subschema? (And note that that's not under "dc=example,dc=com." Search the list archive for examples.)
On Tue, 17 Jul 2007, Ron Parker wrote:
Now that I can log in as a user: How do I give a user access to schema? This is what I'm trying now (but not working):
access to dn.subtree="cn=schema,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read
What am I missing? Thanks!
-ron
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
I don't know what I mean. I've searched the Internet for "access to schema" and can't seem to find an answer that works for what I'm trying to do.
What I want to do is, when a user logs in, to allow the ldap client to read the schema for the server. This happens automatically when the rootdn logs in, but apparently I have to explicity create access control for a user's client to read the schema.
From the examples I've been able to locate and understand, I've tried the following:
access to dn="cn=subschema" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="cn=Subschema" by * read
but none appear to work. Apparently, I need another example of exactly what I'm trying to do, which I don't seem able to locate.
Thanks!
-ron
Aaron Richton wrote:
Is this what you mean, or do you mean cn=Subschema? (And note that that's not under "dc=example,dc=com." Search the list archive for examples.)
On Tue, 17 Jul 2007, Ron Parker wrote:
Now that I can log in as a user: How do I give a user access to schema? This is what I'm trying now (but not working):
access to dn.subtree="cn=schema,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read
What am I missing? Thanks!
-ron
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
__________ NOD32 2403 (20070717) Information __________
This message was checked by NOD32 antivirus system. http://www.eset.com
OpenLDAP test000-rootdse searches cn=Subschema as an anonymous user. Maybe you could start there as your example?
I really doubt that anything "happens automatically"; that's not in the protocol. If you turn on stats/stats2 debug level, you'll likely see that your rootDN-configured client is executing some flavor of search. If you're suspecting acl, you can turn on acl debug level.
On Tue, 17 Jul 2007, Ron Parker wrote:
I don't know what I mean. I've searched the Internet for "access to schema" and can't seem to find an answer that works for what I'm trying to do.
What I want to do is, when a user logs in, to allow the ldap client to read the schema for the server. This happens automatically when the rootdn logs in, but apparently I have to explicity create access control for a user's client to read the schema.
From the examples I've been able to locate and understand, I've tried the following:
access to dn="cn=subschema" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="cn=Subschema" by * read
but none appear to work. Apparently, I need another example of exactly what I'm trying to do, which I don't seem able to locate.
Thanks!
-ron
Aaron Richton wrote:
Is this what you mean, or do you mean cn=Subschema? (And note that that's not under "dc=example,dc=com." Search the list archive for examples.)
On Tue, 17 Jul 2007, Ron Parker wrote:
Now that I can log in as a user: How do I give a user access to schema? This is what I'm trying now (but not working):
access to dn.subtree="cn=schema,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read
What am I missing? Thanks!
-ron
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
__________ NOD32 2403 (20070717) Information __________
This message was checked by NOD32 antivirus system. http://www.eset.com
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
Yes, you are correct. When I use this access control
access to dn="cn=Subschema" by * read access to dn.subtree="cn=Subschema" by * read (don't know which one works, but one of them does)
and search Subschema locally as a user:
ldapsearch -H "ldap://example.com" -D 'cn=Ron,ou=Zimbra,dc=example,dc=com' -x -W -b "cn=Subschema" -s base "objectclass=Subschema"
I get the expected results. However, when I click on the "Schema" tab in the client I'm using, I get nothing. So, I need to find out what the actual search being executed is and go from there.
Thank you for your assistance.
-ron
Aaron Richton wrote:
OpenLDAP test000-rootdse searches cn=Subschema as an anonymous user. Maybe you could start there as your example?
I really doubt that anything "happens automatically"; that's not in the protocol. If you turn on stats/stats2 debug level, you'll likely see that your rootDN-configured client is executing some flavor of search. If you're suspecting acl, you can turn on acl debug level.
On Tue, 17 Jul 2007, Ron Parker wrote:
I don't know what I mean. I've searched the Internet for "access to schema" and can't seem to find an answer that works for what I'm trying to do.
What I want to do is, when a user logs in, to allow the ldap client to read the schema for the server. This happens automatically when the rootdn logs in, but apparently I have to explicity create access control for a user's client to read the schema.
From the examples I've been able to locate and understand, I've tried the following:
access to dn="cn=subschema" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="cn=Subschema" by * read
but none appear to work. Apparently, I need another example of exactly what I'm trying to do, which I don't seem able to locate.
Thanks!
-ron
Aaron Richton wrote:
Is this what you mean, or do you mean cn=Subschema? (And note that that's not under "dc=example,dc=com." Search the list archive for examples.)
On Tue, 17 Jul 2007, Ron Parker wrote:
Now that I can log in as a user: How do I give a user access to schema? This is what I'm trying now (but not working):
access to dn.subtree="cn=schema,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read
What am I missing? Thanks!
-ron
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
__________ NOD32 2403 (20070717) Information __________
This message was checked by NOD32 antivirus system. http://www.eset.com
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
__________ NOD32 2403 (20070717) Information __________
This message was checked by NOD32 antivirus system. http://www.eset.com
Ron Parker wrote:
From the examples I've been able to locate and understand, I've tried the following:
access to dn="cn=subschema" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="cn=Subschema" by * read
but none appear to work. Apparently, I need another example of exactly what I'm trying to do, which I don't seem able to locate.
A snippet from my slapd.conf:
#--------------------------------------------------------------------- # Allow anyone to look at the Schema and SubSchema access to dn.base="" by * read access to dn.base="cn=Subschema" by * read #---------------------------------------------------------------------
This works for us in terms of letting anyone look up the schemas (tested with 'gq' on a linux workstation, doing an anonymous bind.)
Gregory
openldap-software@openldap.org
-
Aaron Richton -
Gregory K. Ruiz-Ade -
Ron Parker