Importing an LDIF from an OpenLDAP server and examining the ACIs found, I don't really understand how default permissions are established:
I only found these two ACIs (LDIF unfolded):
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
cn: Sync Request Control
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search ) userdn = "ldap:///all";)
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20221121142915Z
modifyTimestamp: 20221121142915Z
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)
I'm unsure what those two actually do.
Specifically I found no ACI at the "suffix root" (e.g. dc=example,dc=com).
However at the root I found the "rootdse anon read access" ACI that seems to allow searching everything except aci attributes.
As I understand ACIs od 389-DS, with no other ACIs found in the "suffix tree", those at the root should matter.
Am I expected to add specific ACIs within the "suffix root"?
If so, what would be a typical "starting set"?
