[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4522) Minor inconsistency between ACL documentation and code

Full_Name: Ralf Haferkamp
Version: HEAD, RE23, RE24
URL: ftp://ftp.openldap.org/incoming/rhaferkamp-20060505-slapd-access.dif
Submission from: (NULL) (

I just noticed two minor inconsistencies between the acl parsing code and the
slapd.access manpage. 
The manpage states that the "dn=" part of the <what> is optional. Current code
however doesn't allow the specify ACLs like "access to cn=test ..."

Addionally the BNF at the beginning of the man-page is IMO slightly wrong.
It should be:
 access to <what> [ by <who> [ <access> ] [ <control> ] ]+
instead of:
 access to <what> [ by <who> <access> [ <control> ] ]+

As it seems to be perfectly ok to have the <access> part missing (e.g. by *

In the assumption that the code is always right :-), I created the uploaded
patch for the man page.

I am also thinking if it might make sense to mention the implicit "by * none"
somewhere prominently in the manpage. Maybe by adding a "Access Control
Evaluation" section to the manpage. Opinions?

It is currently only mentioned in the Adminguide. I had several reports from
users stumbling over this.