[Date Prev][Date Next]
Re: ACLs broken by ITS#5419
Rein Tollevik wrote:
> On Mon, 24 Mar 2008, Howard Chu wrote:
>> firstname.lastname@example.org wrote:
>>> The change to servers/slapd/backend.c for ITS#5416 seem to have broken the
>>> ability for group and set statements in access control lines to refer to
>>> outside the backend currently being operated on.
>> That ability was never intended in the first place. Historically, backends in
>> slapd have been treated as isolated DSAs with no connection to each other.
>> They've required special mechanisms (like back-relay or slapo-glue) to be
> Yes, I know, the change that allowed this was imo the one that made sets
> and groups really useful. Our database configuration still has traces of
> the workarounds the lack of this feature once forced us to make..
> But, the latest change also removes this ability for databases subordinate
> to the same common superior (i.e using the slapo-glue). If I understand
> you correct it is a bug that glue'ed databases cannot refer to each other,
> although I still consider it a bug (or at least a huge drawback) if this
> would no longer be generally possible.
Actually, looking back over CVS, it seems this ability has existed since
OpenLDAP 2.0, intended or not. Will have to work up a better solution to
restore that behavior.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/