[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
From: h.b.furuseth@usit.uio.no
Date: Wed, 6 Jul 2005 08:26:06 GMT

Howard Chu writes:
> Well, it's one bad hack vs another.  What actually would make sense to me
> is to cover all of the non-DB ACLs under the frontendDB, since those
> objects (rootDSE, schema subentry) are actually implemented in the slapd
> frontend.

But the frontendDB ACLs are used as defaults.  I miss some way to
specify "non-database" ACLs that do not become defaults.  I want the
default to stay 'access to * by * none', due to mild paranoia.

> And it doesn't seem important to have rootdn access to these things
> anyway. You may as well just add explicit ACLs to give read access to
> the IDs that need access.

For the root DN, that's true enough.

I dislike to have to say 'access to dn=...' for the others, because then
if some useful feature gets implemented and the admin don't know about
it (e.g. cn=Subschema), the ACLs remove that functionality.

-- 
Hallvard
Don't anthropomorphize computers. They hate that.

Prev by Date: Re: (ITS#3839) pedantic and format troubles
Next by Date: Re: (ITS#3835) Lightweight Listener Thread
Index(es):
- Chronological
- Thread