[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#8763) ACL scope warning

To: openldap-its@OpenLDAP.org
Subject: (ITS#8763) ACL scope warning
From: claude.dube@muhc.mcgill.ca
Date: Sat, 28 Oct 2017 23:46:19 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Claude
Version: 2.4.45 
OS: entOS Linux release 7.3.1611 (Core) 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (198.168.152.20)


the slapd.conf openldap configuration file see below.

slapd daemon is issuing ACL scope warning for unknown reason that ACL is in the
slapd.conf

warning messages : 

config_back_db_open: line 0: warning: cannot assess the validity of the ACL
scope within backend naming context

How that warning can be addressed?

Thanks

how to recreate warning messages based on slapd.conf below.

I'd like to get of rid of that ACL scope warning 

Thanks, Claude

### - slapd is launched by this running command ###

/usr/sbin/slapd -d acl 

#
# output of slapd daemon
#

59f51611 @(#) $OpenLDAP: slapd 2.4.45 (Sep 10 2017 16:37:12) $
        root@templateldap:/a/admin/ldap/openldap-2.4.45/servers/slapd
59f51611 => access_allowed: search access to "cn=config" "objectClass"
requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
59f51611 => access_allowed: search access to "cn=schema,cn=config" "objectClass"
requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
59f51611 => access_allowed: search access to "cn={0}core,cn=schema,cn=config"
"objectClass" requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
59f51611 => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config"
"objectClass" requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
59f51611 => access_allowed: search access to
"cn={2}inetorgperson,cn=schema,cn=config" "objectClass" requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
59f51611 => access_allowed: search access to
"olcDatabase={-1}frontend,cn=config" "objectClass" requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to dn.base="dc=example,dc=com"
        by * read

59f51611 => access_allowed: search access to "olcDatabase={0}config,cn=config"
"objectClass" requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to dn.base="cn=admin,cn=config"
        by * none

59f51611 => access_allowed: search access to "olcDatabase={1}mdb,cn=config"
"objectClass" requested
59f51611 <= root access granted
59f51611 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to dn.children="dc=example,dc=com"
        by * search

Backend ACL: access to dn.base="dc=example,dc=com"
        by * read

Backend ACL: access to *
        by * none

59f51611 config_back_db_open: line 0: warning: cannot assess the validity of the
ACL scope within backend naming context
59f51611 slapd starting







#### - slapd.conf - #####

#
# NOTES: inetorgperson picks up attributes and objectclasses
#        from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema

# NO REFERRALS

# DON'T bother with ARGS file
pidfile  /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

loglevel    ACL 
disallow bind_anon
#
#####################################
# frontend database
#####################################
#

access to dn.base="dc=example,dc=com" by * read

#######################################################################
# bdb database definitions
# 
# replace example and com below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to My and inc
#######################################################################

database mdb
#access  to dn.base="dc=example,dc=com"  by * read
access to dn.children="dc=example,dc=com" by * search
access to dn.base="dc=example,dc=com"     by * read
suffix "dc=example, dc=com"

#
# superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND 
# change path as ncessary
directory   /var/lib/ldap

# Indices to maintain for this directory
# required if searches will use 
# unique id so equality match only
index   uid eq
# allows general searching on commonname, givenname and email
index   cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber

#
#####################################
# config database
#####################################
#
database config
access  to dn.base="cn=admin,cn=config"  by * none
rootdn   "cn=admin,cn=config"
rootpw   {SSHA}rZGfPJkJYWy036tqoQb9jZ4Tz36c7ddG
Prev by Date: RE: [EXTERNAL] (ITS#8762) Unlocking an account doesn't remove pwdFailureTime
Next by Date: Re: (ITS#8763) ACL scope warning
Index(es):
- Chronological
- Thread