Alex Samad wrote: > On Fri, Jan 22, 2010 at 08:28:52AM +1100, Alex Samad wrote: >> On Thu, Jan 21, 2010 at 12:03:32PM +0100, Jonathan Clarke wrote: >>> On 01/20/2010 07:17 AM, Alex Samad wrote: >>>> Hi >>>> >>>> I was wonder were do I place acl for cn=Subschema as there doesn;t seems >>>> to be a db defined for it or is it the same as cn=schmea ? >>> >>> Regardless of which database it is attached to, you can define any >>> ACLs in the global section of the configuration file (before any >>> database declarations). >> >> I am using cn=config/dynamic config so I am not using any slapd.conf. >> >> from my reading of slapd-config I gather this is not the same, >> >> cause I can put it in olcDatabase=frontend,cn=config which is like a >> default and the man page seems to suggest that you put acl's with the >> db's they are mean to control (although now that I re read it, it seems >> like the acl's are all meant to be in the frontend db). > > More investigation from > > http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration > > When evaluating whether some requester should be given access to an > entry and/or attribute, slapd compares the entry and/or attribute to the > <what> selectors given in the configuration. For each entry, access > controls provided in the database which holds the entry (or the global > access directives if not held in any database) apply first, followed by > the global access directives (which are held in the frontend database > definition). However, when dealing with an access list, because the > global access list is effectively appended to each per-database list, if > the resulting list is non-empty then the access list will end with an > implicit access to * by * none directive. If there are no access > directives applicable to a backend, then a default read is used. > > so to me it read > > database acl first > frontend acl's > > so is it best practice to put everything in the frontend ?
Only if your entire ACL config is meant to apply uniformly to all the databases in the server. Usually that won't be the case; people tend to create multiple databases because different parts of their DIT need different settings. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
