[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3532) test006-acls: warning: cannot assess the validity of the ACL scope within backend naming context
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#3532) test006-acls: warning: cannot assess the validity of the ACL scope within backend naming context
- From: ando@sys-net.it
- Date: Wed, 31 Aug 2005 13:47:49 GMT
Hallvard B Furuseth wrote:
>Pierangelo Masarati writes:
>
>
>>Works as intended. (...) For instance,
>>access to *
>> by * read
>>can appear anywhere, but it's not quite good inside a
>>backend because it also scopes outside.
>>
>>
>
>I don't understand. Can an ACL inside a database definition
>sometimes be applied to data outside that database? Or
>maybe I should ask, data outside that database's suffix?
>
>Please document the pitfalls of not including a DN in all of
>a database's ACLs (or explain it and I'll document it:-).
>I don't like to not understand what I'm fixing when I shut
>up a warning, nor leaving a warning like that alone.
>
>
I'd reverse the comment. If one puts an ACL that scopes outside the
database, one for some reason may be led to think that the ACL applies
to data outside the database as well. For example, people may put ACLs
scoping the rootDSE into the first database block, because that's how
things used to work in slapd. If they don't any more (I'm a bit
confused right now, but I think when #define LDAP_DEVEL they don't), one
should be warned. I admit that check is incomplete and cannot spot all
occurrences; in fact the messages can assert a violation or just suggest
its possibility or likelyhood; moreover, I guess they should be relaxed
to something less than ANY; for instance, to ACL. Or the entire check
could be removed, if it doesn't make sense. Note that the test never
results in slapd refusing to start. It's plainly informative.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497