[Jxplorer-users] Access to Schema

Discussion:

Ron Parker

2007-07-17 20:23:55 UTC

Hi,

I finally resolved my user login issue by utilizing access control
correctly. However, now, when users log in, they don't have access to
the schema (nothing loaded when they click on Schema tab).

In my slapd.conf access control, I have:

access to dn="cn=Subschema" by * read
access to dn.subtree="cn=Subschema" by * read

I can access this Subschema as a user locally with this command:

ldapsearch -H "ldap://example.com" -D
'cn=Ron,ou=Zimbra,dc=example,dc=com' -x -W -b "cn=Subschema" -s base
"objectclass=Subschema"

However, when I click on the "Schema" tab in JXplorer, I get nothing.
When I am logged in as rootdn, however, I get the schema.

So, I guess my question is either:
a) what is the search used for this Schema tab, or
b) what do you recommend that I enter into my access control list to
allow my users to be able to read the server schema when logged into
JXplorer?

Thanks!

-ron

--
Ron Parker
Software Creations http://www.scbbs.com
Self-Administration Web Site http://saw.scbbs.com
SDSS Subscription Mgmt Service http://sdss.scbbs.com
Central Ave Dance Ensemble http://www.centralavedance.com
R & B Salsa http://www.randbsalsa.com

Ron Parker

2007-07-18 18:29:24 UTC

Permalink

Still trying to resolve this. Been trying to research. The closest I've
found to this issue is here:

http://www.nabble.com/Re%3A-JXplorer-Schema-access-tf2193548.html

"The first thing JXplorer does is try to read the
'subschemaSubentry' attribute from the root entry of the directory.
Usually
this resolves to be 'cn=schema', but if JX can't find a
subschemaSubentry it
will then default to 'cn=schema' anyway, as this is sort of the defacto
standard. "

OpenLDAP has no "cn=schema". Only "cn=Subschema".

"... However from what you've said below, your server looks like it is
using a schema root of 'cn=subSchema', which is perfectly valid, so long as
it is correctly advertising it in the 'subschemaSubentry' attribute of the
root entry? "

How do I do this? That is, how can I tell if "cn=Subschema" is
correctly advertised in "subschemaSubentry" attribute? And, if it's
not, how do I make it do it?

"Other possibilities are to try to change your schema entry from
cn=subschema to cn=schema, or if the subschemaSubentry attribute is set
correctly there may be a bug in JXplorer, in which case let me know and
I'll
try to fix it... there were problems a few years ago in recognising the sub
schema sub entry... "

In OpenLDAP, "cn=schema" returns unknown object. At this point, I don't
know what to do. I would imagine the solution is pretty standard since
both OpenLDAP and JXplorer are farily well used. If someone could
either point me to it or tell me what I need to do, I'd really
appreciate it.

Thanks!

-ron

Post by Ron Parker
Hi,
I finally resolved my user login issue by utilizing access control
correctly. However, now, when users log in, they don't have access to
the schema (nothing loaded when they click on Schema tab).
access to dn="cn=Subschema" by * read
access to dn.subtree="cn=Subschema" by * read
ldapsearch -H "ldap://example.com" -D
'cn=Ron,ou=Zimbra,dc=example,dc=com' -x -W -b "cn=Subschema" -s base
"objectclass=Subschema"
However, when I click on the "Schema" tab in JXplorer, I get nothing.
When I am logged in as rootdn, however, I get the schema.
a) what is the search used for this Schema tab, or
b) what do you recommend that I enter into my access control list to
allow my users to be able to read the server schema when logged into
JXplorer?
Thanks!
-ron

Douglas E. Engert

2007-07-18 19:45:18 UTC

Permalink

Post by Ron Parker
Still trying to resolve this. Been trying to research. The closest I've
http://www.nabble.com/Re%3A-JXplorer-Schema-access-tf2193548.html
"The first thing JXplorer does is try to read the
'subschemaSubentry' attribute from the root entry of the directory.
Usually
this resolves to be 'cn=schema', but if JX can't find a
subschemaSubentry it
will then default to 'cn=schema' anyway, as this is sort of the defacto
standard. "
OpenLDAP has no "cn=schema". Only "cn=Subschema".
"... However from what you've said below, your server looks like it is
using a schema root of 'cn=subSchema', which is perfectly valid, so long as
it is correctly advertising it in the 'subschemaSubentry' attribute of the
root entry? "
How do I do this? That is, how can I tell if "cn=Subschema" is
correctly advertised in "subschemaSubentry" attribute? And, if it's
not, how do I make it do it?
"Other possibilities are to try to change your schema entry from
cn=subschema to cn=schema, or if the subschemaSubentry attribute is set
correctly there may be a bug in JXplorer, in which case let me know and
I'll
try to fix it... there were problems a few years ago in recognising the sub
schema sub entry... "
In OpenLDAP, "cn=schema" returns unknown object. At this point, I don't
know what to do. I would imagine the solution is pretty standard since
both OpenLDAP and JXplorer are farily well used. If someone could
either point me to it or tell me what I need to do, I'd really
appreciate it.

Try
ldapsearch -x -s base -b "" "(objectclass=*)" +

This should list the rootDSE and it should have a
subschemaSubentry: cn=Subschema

Then try
ldapsearch -x -s base -b "cn=Subschema" "(objectclass=*)" +

That should list the attributes.

Also make sure that the slapd.conf allows read access to the base

access to dn.base="" by * read

Post by Ron Parker
Thanks!
-ron

--
Douglas E. Engert <***@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

Ron Parker

2007-07-18 20:12:55 UTC

Permalink

Post by Douglas E. Engert
Try
ldapsearch -x -s base -b "" "(objectclass=*)" +
This should list the rootDSE and it should have a
subschemaSubentry: cn=Subschema
Then try
ldapsearch -x -s base -b "cn=Subschema" "(objectclass=*)" +
That should list the attributes.
Also make sure that the slapd.conf allows read access to the base
access to dn.base="" by * read

This solved all my problems. Thank you so very much!

-ron