[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8246) defining multiple frontend DBs should probably not be allowed
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8246) defining multiple frontend DBs should probably not be allowed
- From: ryan@openldap.org
- Date: Wed, 16 Sep 2015 16:21:56 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Ryan Tandy
Version: 2.4, master
OS: Debian
URL:
Submission from: (NULL) (24.68.37.4)
Submitted by: ryan
In #openldap, IsoLinCHiP noted that the following config works as intended, and
asked whether it's supported:
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.base="cn=admin,cn=config" manage by * +0 break
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
dn: olcDatabase={1}frontend,cn=config
objectClass: olcDatabaseConfig%obobjectClass: olcFrontendConfig
olcDatabase: {1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=subschema" by * read
olcAccess: {2}to dn.subtree="dc=de" attrs=userPassword,userPKCS12 by * auth
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /usr/local/openldap/var/openldap-data
olcRootDN: cn=admin,cn=config
olcSuffix: dc=de
The current behaviour is that the additional ACLs on olcDatabase={1}frontend get
appended to the frontendDB ACL just as if they'd been defined on
olcDatabase={-1}frontend. Behaviour for other attributes varies: some are merged
with earlier values, or overwrite them; others are rejected.
It seems to me that defining a second frontend is neither supported, nor to be
depended upon, and therefore should probably be explicitly disallowed. Am I
right?