[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3532) test006-acls: warning: cannot assess the validity of the ACL scope within backend naming context

Hallvard B Furuseth wrote:

>Pierangelo Masarati writes:
>>Works as intended.  (...)  For instance,
>>access to *
>>    by * read
>>can appear anywhere, but it's not quite good inside a
>>backend because it also scopes outside.
>I don't understand.  Can an ACL inside a database definition
>sometimes be applied to data outside that database?  Or
>maybe I should ask, data outside that database's suffix?
>Please document the pitfalls of not including a DN in all of
>a database's ACLs (or explain it and I'll document it:-).
>I don't like to not understand what I'm fixing when I shut
>up a warning, nor leaving a warning like that alone.
I'd reverse the comment.  If one puts an ACL that scopes outside the 
database, one for some reason may be led to think that the ACL applies 
to data outside the database as well.  For example, people may put ACLs 
scoping the rootDSE into the first database block, because that's how 
things used to work in slapd.  If they don't any more (I'm a bit 
confused right now, but I think when #define LDAP_DEVEL they don't), one 
should be warned.  I admit that check is incomplete and cannot spot all 
occurrences; in fact the messages can assert a violation or just suggest 
its possibility or likelyhood; moreover, I guess they should be relaxed 
to something less than ANY; for instance, to ACL.  Or the entire check 
could be removed, if it doesn't make sense.  Note that the test never 
results in slapd refusing to start.  It's plainly informative.


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497