[Date Prev][Date Next]
Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
At 06:57 PM 4/12/2005, Howard Chu wrote:
>>I'm fine with doing away with the "first DB ACLS are used if
>>no global ACLs" feature.
>The one difference is that with the "first DB" behavior, a user bound as the rootDN of the first DB would automatically have unrestricted access to the rootDSE etc. (Not that there's anything in there for which root access is particularly important.) Removing this feature would require explicit global ACLs for those cases, as the rootDN of the first DB would no longer be "special" in the context of the rootDSE or schema subentry.
Actually, this may hint at why we have the firstDB acls
apply to global items... it's more about the firstDB rootdn.
I guess I would not be opposed to adding a global rootdn.
I might even be not opposed to removing DB rootdns (e.g.,
only having a global rootdn). But then, I've always thought
the rootdn to be evil, though a sometimes necessary evil.