access to ... by Administrator

List overview All Threads
Download

newer

older

which is the structural object...

Re: ACLs for children entry

stefano

23 Mar 2012 23 Mar '12

2:44 a.m.

Hi, i've a question.

am configuring the ACLs in slapd.conf. is it necessary to specify the Administrator DN in the "who" field?

ex: access to attrs=userPassword by dn="cn=Manager,dc=example,dc=com"

Do i have to specify it or the administrator has the access right to every attribute?

Attachments:

attachment.htm (text/html — 721 bytes)

Show replies by date

Christian Manal

23 Mar 23 Mar

3:25 a.m.

Am 23.03.2012 10:44, schrieb stefano:

...

Hi, i've a question.

am configuring the ACLs in slapd.conf. is it necessary to specify the Administrator DN in the "who" field?

ex: access to attrs=userPassword by dn="cn=Manager,dc=example,dc=com"

Do i have to specify it or the administrator has the access right to every attribute?

Hi,

the docs are your friend :)

...

From slapd.access(5):

*Be warned: the rootdn can always read and write EVERYTHING!*

...

From slapd.conf(5):

access to <what> [ by <who> <access> <control> ]+ [...] The rootdn can always read and write EVERYTHING! [...]

[...]

rootdn <dn> Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. [...]

Regards, Christian Manal

Nick Milas

3:37 a.m.

On 23/3/2012 11:44 πμ, stefano wrote:

...

Do i have to specify it or the administrator has the access right to every attribute?

Quote from: http://www.openldap.org/doc/admin24/access-control.html :

"Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.

As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses."

Nick

stefano

8:53 a.m.

On 03/23/2012 11:37 AM, Nick Milas wrote:

...

On 23/3/2012 11:44 πμ, stefano wrote:

...
Do i have to specify it or the administrator has the access right to every attribute?

Quote from: http://www.openldap.org/doc/admin24/access-control.html :

"Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.

As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses."

Nick

thanks!

4629

Age (days ago)

4629

Last active (days ago)

openldap-technical@openldap.org

3 comments

3 participants

tags (0)

participants (3)

Christian Manal
Nick Milas
stefano