[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4522) Minor inconsistency between ACL documentation and code

To: openldap-its@OpenLDAP.org
Subject: (ITS#4522) Minor inconsistency between ACL documentation and code
From: rhafer@suse.de
Date: Fri, 5 May 2006 13:07:28 GMT

Full_Name: Ralf Haferkamp
Version: HEAD, RE23, RE24
OS: 
URL: ftp://ftp.openldap.org/incoming/rhaferkamp-20060505-slapd-access.dif
Submission from: (NULL) (212.95.103.109)


I just noticed two minor inconsistencies between the acl parsing code and the
slapd.access manpage. 
The manpage states that the "dn=" part of the <what> is optional. Current code
however doesn't allow the specify ACLs like "access to cn=test ..."

Addionally the BNF at the beginning of the man-page is IMO slightly wrong.
It should be:
 access to <what> [ by <who> [ <access> ] [ <control> ] ]+
instead of:
 access to <what> [ by <who> <access> [ <control> ] ]+

As it seems to be perfectly ok to have the <access> part missing (e.g. by *
break).

In the assumption that the code is always right :-), I created the uploaded
patch for the man page.

I am also thinking if it might make sense to mention the implicit "by * none"
somewhere prominently in the manpage. Maybe by adding a "Access Control
Evaluation" section to the manpage. Opinions?

It is currently only mentioned in the Adminguide. I had several reports from
users stumbling over this.

Prev by Date: Re: (ITS#4521) filtered search problem
Next by Date: (ITS#4523) Unreadable TLS CA certificates cause termination
Index(es):
- Chronological
- Thread