[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8246) defining multiple frontend DBs should probably not be allowed

Full_Name: Ryan Tandy
Version: 2.4, master
OS: Debian
Submission from: (NULL) (
Submitted by: ryan

In #openldap, IsoLinCHiP noted that the following config works as intended, and
asked whether it's supported:

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.base="cn=admin,cn=config" manage by * +0 break
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
dn: olcDatabase={1}frontend,cn=config
objectClass: olcDatabaseConfig%obobjectClass: olcFrontendConfig
olcDatabase: {1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=subschema" by * read
olcAccess: {2}to dn.subtree="dc=de" attrs=userPassword,userPKCS12 by * auth
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /usr/local/openldap/var/openldap-data
olcRootDN: cn=admin,cn=config
olcSuffix: dc=de

The current behaviour is that the additional ACLs on olcDatabase={1}frontend get
appended to the frontendDB ACL just as if they'd been defined on
olcDatabase={-1}frontend. Behaviour for other attributes varies: some are merged
with earlier values, or overwrite them; others are rejected.

It seems to me that defining a second frontend is neither supported, nor to be
depended upon, and therefore should probably be explicitly disallowed. Am I