[Date Prev][Date Next]
Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
Howard Chu writes:
> Well, it's one bad hack vs another. What actually would make sense to me
> is to cover all of the non-DB ACLs under the frontendDB, since those
> objects (rootDSE, schema subentry) are actually implemented in the slapd
But the frontendDB ACLs are used as defaults. I miss some way to
specify "non-database" ACLs that do not become defaults. I want the
default to stay 'access to * by * none', due to mild paranoia.
> And it doesn't seem important to have rootdn access to these things
> anyway. You may as well just add explicit ACLs to give read access to
> the IDs that need access.
For the root DN, that's true enough.
I dislike to have to say 'access to dn=...' for the others, because then
if some useful feature gets implemented and the admin don't know about
it (e.g. cn=Subschema), the ACLs remove that functionality.
Don't anthropomorphize computers. They hate that.