Am Wed, 30 Nov 2011 22:05:24 +0100 schrieb Axel Birndt towerlexa@gmx.de:
Hi @all & thanks for your help!
Am 29.11.2011 12:28, schrieb Axel Birndt:
Am 29.11.2011 10:10, schrieb Ondrej Kuznik:
On 11/29/2011 09:13 AM, Axel Birndt wrote: You should expect a response exactly like this (unless your database suffix is set to ""):
ldapsearch -x -D "" -s base -b "" -h localhost
ldapsearch -x -D "" -s base -b "" -h localhost
Now its working for me. I added the following ACL's in
olcDatabase={-1}frontend,cn=config
{0}to dn.base="" by * read {1}to dn.base="cn=schema,cn=config" by * read {2}to dn.base="cn=Subschema" by * read
But, does the first rule meaning, that everone could read all in this frontend??
Is this security conform? Or it is better to allow only authenticated Users to read this?
Are there any best practices for this?
dn.base="" exposes rootDSE which has to be read by any client, so this should be anonymous readable, same applies to cn=subschema as clients have to know the attribute types and objectclasses available. But nobody should have access to schema database, so remove rule {1}
-Dieter