[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

h.b.furuseth@usit.uio.no wrote:
>  Howard Chu writes:

> > Yes. This was discussed recently
> > http://www.openldap.org/lists/openldap-devel/200504/msg00045.html
> > but I don't think any course of action was decided.

>  Well, I miss some way to set up "non-database" ACLs separately from
>  global ACLs.

>  My suggestion (without looking at the code:-) would be to either
>  implement a 'database dsa-info' to hold this info, or restore the
>  'first database' hack.  With the latter, one can set up a dummy
>  database as the first database if needed.  I knew back-null would be
>  good for something, sooner or later:-)  Can't use it for the root
>  DSE's rootdn, though.

> >> Also, rootdn/rootpw was also applied from the first database, but
> >> those are now taken from frontendDB and I can't get
> >> rootdn/rootpw from frontendDB to work.

>  As for the required non-global and thus different rootdns (when
>  rootpw is used), I don't know what's good about that - it's just been
>  a minor pain in the neck with our setup.  Until I finally learned
>  about ldapi:// -QYEXTERNAL, so no we have the same rootdn for every
>  database.

So it sounds like you're in favor of a single global rootdn. It might 
make sense to use the frontendDB for this.

I suppose your "database dsa-info" idea already exists in "database 
config". Certainly its contents are dsa-specific info, and the config 
database is now always the first database. So, even though back-config 
performs no ACL checks of its own, you can always do
    database config
    access to ...

to setup your non-database ACLs.

We need to tweak the olcGlobal definition to allow this info to be 
propagated in back-config though. Currently there's an ugly game to get 
rootpw in there. We may need to do the same thing to allow setting a 
rootdn here. Then in this case, it would make more sense to me to use 
back-config's rootdn as the server global rootdn. (Because that gets 
exposed in the cn=config root entry.) I've unfortunately confused the 
concepts of "global to the server settings" (cn=config) with "global to 
the database contexts" (frontendDB) in the code; this needs to be 
separated out again.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support