[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
Howard Chu writes:
>Hallvard B Furuseth wrote:
>> The root DSE no longer uses ACLs from the first database.
>> it Only uses the global ACLs and the 'database frontend' ACLs,
>> because the supposedly global ACLs end up in frontendDB.
>>
> Yes. This was discussed recently
> http://www.openldap.org/lists/openldap-devel/200504/msg00045.html
> but I don't think any course of action was decided.
Well, I miss some way to set up "non-database" ACLs separately from
global ACLs.
My suggestion (without looking at the code:-) would be to either
implement a 'database dsa-info' to hold this info, or restore the 'first
database' hack. With the latter, one can set up a dummy database as the
first database if needed. I knew back-null would be good for something,
sooner or later:-) Can't use it for the root DSE's rootdn, though.
>> Also, rootdn/rootpw was also applied from the first database, but
>> those are now taken from frontendDB and I can't get rootdn/rootpw
>> from frontendDB to work.
>
> Well, rootpw makes no sense for the frontendDB. The question about
> rootdn is still open.
Well, I haven't kept enough track to learn what frontendDB is for.
As for the required non-global and thus different rootdns (when rootpw
is used), I don't know what's good about that - it's just been a minor
pain in the neck with our setup. Until I finally learned about
ldapi:// -QYEXTERNAL, so no we have the same rootdn for every database.
--
Hallvard
Don't anthropomorphize computers. They hate that.