[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

Howard Chu writes:
>Hallvard B Furuseth wrote:
>> The root DSE no longer uses ACLs from the first database.
>> it Only uses the global ACLs and the 'database frontend' ACLs,
>> because the supposedly global ACLs end up in frontendDB.
> Yes. This was discussed recently
> http://www.openldap.org/lists/openldap-devel/200504/msg00045.html
> but I don't think any course of action was decided.

Well, I miss some way to set up "non-database" ACLs separately from
global ACLs.

My suggestion (without looking at the code:-) would be to either
implement a 'database dsa-info' to hold this info, or restore the 'first
database' hack.  With the latter, one can set up a dummy database as the
first database if needed.  I knew back-null would be good for something,
sooner or later:-)  Can't use it for the root DSE's rootdn, though.

>> Also, rootdn/rootpw was also applied from the first database, but
>> those are now taken from frontendDB and I can't get rootdn/rootpw
>> from frontendDB to work.
> Well, rootpw makes no sense for the frontendDB. The question about
> rootdn is still open.

Well, I haven't kept enough track to learn what frontendDB is for.

As for the required non-global and thus different rootdns (when rootpw
is used), I don't know what's good about that - it's just been a minor
pain in the neck with our setup.  Until I finally learned about
ldapi:// -QYEXTERNAL, so no we have the same rootdn for every database.

Don't anthropomorphize computers. They hate that.