Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:59 PM 4/12/2005, Howard Chu wrote:
>Pierangelo Masarati wrote:
>
>>In access_allowed(), when called with null o_bd field, the first database is selected, where the first real database is traditionally intended.  The current code has been modified to pick the first database by calling
>>
>>       op->o_bd = LDAP_STAILQ_FIRST( &backendDB );
>>
>>However, if back-config is enabled, it is forced to be the first database in the list.  I can't figure out, right now, how this can be solved in a clean manner.
>
>Hmmm... As per ITS#3100, the behavior to use the first backend has been in place for a long time, but it doesn't make a lot of sense in itself, it seems it was just a hack (acl.c rev 1.93) to allow ACL checks to be performed on the rootDSE and other objects that live outside of a regular backend. Since we now have a frontendDB where the global ACLs live, I think we should just use the frontendDB here.

I note that we've had global ACLs for a long time (which
not only applied to the root DSE, but to all backends
after their specific ACLs).

I'm fine with doing away with the "first DB ACLS are used if
no global ACLs" feature.

Kurt