Re: (ITS#3532) test006-acls: warning: cannot assess the validity of the ACL scope within backend naming context

[ando@sys-net.it]

michael@stroeder.com wrote:

>running defines.sh
>Running slapadd to build slapd database...
>./testrun/slapd.1.conf: line 57: warning: cannot assess the validity of the ACL
>scope within backend naming context
>./testrun/slapd.1.conf: line 62: warning: cannot assess the validity of the ACL
>scope within backend naming context
>./testrun/slapd.1.conf: line 74: warning: cannot assess the validity of the ACL
>scope within backend naming context
>./testrun/slapd.1.conf: line 78: warning: cannot assess the validity of the ACL
>scope within backend naming context
>./testrun/slapd.1.conf: line 84: warning: cannot assess the validity of the ACL
>scope within backend naming context
>./testrun/slapd.1.conf: line 96: warning: cannot assess the validity of the ACL
>scope within backend naming context
>Starting slapd on TCP/IP port 9011...
>Testing slapd access control...
>Waiting 5 seconds for slapd to start...
>Using ldapsearch to retrieve all the entries...
>Filtering ldapsearch results...
>Filtering original ldif used to create database...
>Comparing filter output...
>  
>
>>>>>>Test succeeded
>>>>>>./scripts/test006-acls completed OK.
>>>>>>            
>>>>>>
Works as intended.  That's a reminder that ACLs (may) scope outside the 
backend they're defined in.  For instance,

access to *
    by * read

can appear anywhere, but it's not quite good inside a backend because it 
also scopes outside.  A more appropriate statement would be

access to dn.subtree=<suffix>
    by * read

In some cases (e.g. when using fancy submatches in regex clauses) slapd 
can't quite get the actual scope of a rule; different warnings may 
appear in that case.

This is only informative, not prescriptive, and it's been in HEAD for at 
least one year (but I suspect more) and nobody ever complained about it.

p.



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497