[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

Hallvard B Furuseth wrote:
> Sounds even less intuitive than the old "first database" hack to me,
> since the access one wants to back-config and to the root DSE etc is
> very different.  With "first database" one can at least select which
> database to put first.  Besides, we might someday want to implement ACL
> support in back-config.
Well, it's one bad hack vs another. What actually would make sense to me 
is to cover all of the non-DB ACLs under the frontendDB, since those 
objects (rootDSE, schema subentry) are actually implemented in the slapd 
frontend. And it doesn't seem important to have rootdn access to these 
things anyway. You may as well just add explicit ACLs to give read 
access to the IDs that need access.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support