[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

Howard Chu writes:
> Well, it's one bad hack vs another.  What actually would make sense to me
> is to cover all of the non-DB ACLs under the frontendDB, since those
> objects (rootDSE, schema subentry) are actually implemented in the slapd
> frontend.

But the frontendDB ACLs are used as defaults.  I miss some way to
specify "non-database" ACLs that do not become defaults.  I want the
default to stay 'access to * by * none', due to mild paranoia.

> And it doesn't seem important to have rootdn access to these things
> anyway. You may as well just add explicit ACLs to give read access to
> the IDs that need access.

For the root DN, that's true enough.

I dislike to have to say 'access to dn=...' for the others, because then
if some useful feature gets implemented and the admin don't know about
it (e.g. cn=Subschema), the ACLs remove that functionality.

Don't anthropomorphize computers. They hate that.