[Date Prev][Date Next] [Chronological] [Thread] [Top]

incompatible access control between versions

To: openldap-software@openldap.org
Subject: incompatible access control between versions
From: openldap <openldap@ayni.com>
Date: Sun, 06 Jul 2008 10:30:01 +0200
User-agent: Thunderbird 2.0.0.14 (X11/20080501)

Hi listers

i observed the following:

in openldap version 2.3.39 the following was acceptable: the access control statements for an ldap-database follow the definition of the database, i.e. in the slapd.conf file (and its includes) you could have the following sequence:

<general section>
<database1 secion>
<access-control section to  database1>
<database2 section>
<access-control section to database2>
...

in openldap-version 2.4.8-3, however, the above sequence is no longer accepted, all access-controls must be in the general-section: the access-control, you get in this case, is the default one: "everyone authenticated can read everything", i.e. your access-controls are silently disregarded. you don't find a hint what's wrong with your access control, neither in the log nor on the error output. only after increasing the debug level to -d255 (-d15 is not sufficient), when starting slapd, you get "warning: ACL appears to be out of scope within backend naming context".

i would rather have liked to see an error "access control error ..." on the error output when starting slapd, and the start failing alltoghether.

suomi

Follow-Ups:
- Re: incompatible access control between versions
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: openldap tls using ip addresses
Next by Date: One more ACL question
Index(es):
- Chronological
- Thread