dn: olcDatabase={-1}frontend,cn=config olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
this rule only allows root to access rootDSE via local socket, that is ldapi:/// that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +
[...]
thank you - that explains it. i'm left wondering how those acls for frontend and config got there - i don't recall ever explicitly setting them. slapd isn't listening on a local socket, which would render them quite useless, right?
on a related note, regarding the frontend database - reading a bit in the admin guide, my understanding is that the frontend database is the appropriate location for such acls as olcAccess: to dn.base="" by * read - is this correct? i've done this, and the behavior is now as i expect, but just curious about typical practices.
i've found this comment - http://www.mail-archive.com/openldap-technical@openldap.org/msg00491.html - which would seem to confirm my understanding of the frontend database as it relates to acls.