[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs broken by ITS#5419

To: openldap-its@OpenLDAP.org
Subject: Re: ACLs broken by ITS#5419
From: rein@basefarm.no
Date: Tue, 25 Mar 2008 00:22:04 GMT

On Mon, 24 Mar 2008, Howard Chu wrote:

> rein@basefarm.no wrote:
>> 
>> The change to servers/slapd/backend.c for ITS#5416 seem to have broken the
>> ability for group and set statements in access control lines to refer to 
>> entries
>> outside the backend currently being operated on.
>
> That ability was never intended in the first place. Historically, backends in 
> slapd have been treated as isolated DSAs with no connection to each other. 
> They've required special mechanisms (like back-relay or slapo-glue) to be 
> joined.

Yes, I know, the change that allowed this was imo the one that made sets 
and groups really useful.  Our database configuration still has traces of 
the workarounds the lack of this feature once forced us to make..

But, the latest change also removes this ability for databases subordinate 
to the same common superior (i.e using the slapo-glue).  If I understand 
you correct it is a bug that glue'ed databases cannot refer to each other, 
although I still consider it a bug (or at least a huge drawback) if this 
would no longer be generally possible.

Rein

Prev by Date: Re: ACLs broken by ITS#5419
Next by Date: Re: (ITS#5401) slapd crashes in mirrormode
Index(es):
- Chronological
- Thread