Am Thu, 01 Dec 2011 10:26:32 +0100 schrieb Axel Birndt towerlexa@gmx.de:
Hi Dieter,
Am 01.12.2011 09:27, schrieb Dieter Klünter:
Am Wed, 30 Nov 2011 22:05:24 +0100 schrieb Axel Birndttowerlexa@gmx.de:
Is this security conform? Or it is better to allow only authenticated Users to read this?
Are there any best practices for this?
dn.base="" exposes rootDSE which has to be read by any client, so this should be anonymous readable, same applies to cn=subschema as clients have to know the attribute types and objectclasses available. But nobody should have access to schema database, so remove rule {1}
thanks for your hint.
I changed my rules now to this:
- for olcDatabase={-1}frontend,cn=config
{0}to dn.base="" by * read {1}to dn.base="cn=Subschema" by * read {2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
- for olcDatabase={1}hdb,cn=config
{0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=2axels-company,dc=ro" write by anonymous auth by self write by * none {1}to dn.base="" by * read {2}to dn.base="cn=Subschema" by * read {3}to * by dn="cn=admin,dc=2axels-company,dc=de" write by * read
In my opinion its not needed to have the rule {1} and {2} in the "olcDatabase={1}hdb,cn=config" section? Right?
correct, there is no need for rule {1} and {2}, as this rules are not database specific but belong to the frontend.
-Dieter