--On Tuesday, June 2, 2020 8:03 PM +0200 Jehan PROCACCIA jehan.procaccia@imtbs-tsp.eu wrote:
From: "Quanah Gibson-Mount" quanah@symas.com olcAccess: {1}to dn.base="" by * read This is an ACL that is meant to go into the frontend DB, not the primary DB.
I remembered set that one so that ApacheDirectoryStudio (or other GUI) could read the RootDSE, but now you make me wonder ...?
It's not a bad ACL, it's just in the wrong place, which is why I mentioned the frontend DB.
ACL{2} is dn.base not subtree : olcAccess: {2}to dn.base="dc=mydomain,dc=fr" by * read
Yeah, I misread that one, sorry. :) So the rest of the ACLs look fine.
Generally for the frontend DB, you see something like:
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.subtree="cn=Subschema" by * read
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com