> My rules (other than the two I just added to make Luma work) are the
> following:
>
> access to attrs=userPassword by anonymous auth
> access to * by peername=127.0.0.1 read
> by users read
>
> That's it. Nothing fancy. My understanding of OpenLDAP, however, is that
> binding with the rootdn user should give me read/write access to everything.
Ron, you may be better looking at this:
# Lines 24 through 32 specify access control for entries in this
# database. As this is the first database, the controls also apply
# to entries not held in any database (such as the Root DSE). For
# all applicable entries, the userPassword attribute is writable
# by the entry itself and by the "admin" entry. It may be used for
# authentication/authorization purposes, but is otherwise not
# readable. All other attributes are writable by the entry and
# the "admin" entry, but may be read by all users (authenticated
# or not).
That I grabbed from http://www.openldap.org/doc/admin22/slapdconfig.html,
almost at the end of the file. As you can see NO ONE bypass the access
rules for the first database, even rootdn. Good for you to read that
page, that is an interesting read.
--
Bye,
Fernando Maciel Souto Maior
fernando@xxxxxxxxxxxxx
http://www.araujo.com.br
+55+31 3270-5886
LPIC/1 # 31908
AVISO-------------------------------------------------------------
Esta mensagem pode conter informacao confidencial ou privilegiada.
Se voce nao for o destinatario ou a pessoa autorizada a receber
esta mensagem, nao pode usar, copiar ou divulgar as informacoes
nela contidas ou tomar qualquer acao baseada nessas informacoes.
Se voce recebeu esta mensagem por engano, favor avisar o remetente
imediatamente, respondendo o e-mail e em seguida apagando-o.
Obrigado pela cooperacao.
DISCLAIMER--------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on any information herein. If you have received this message in
error, please advise the sender immediately by replying to this
e-mail and delete this message. Thank you for your cooperation.
------------------------------------------------------------------
This email was sent using SquirrelMail - http://squirrelmail.org
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
|
