[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.

Hash: SHA1

Pierangelo Masarati wrote:
|>So, we assume that (since the docs aren't currently sufficient to cover
|>some of these minor distinctions with useable ACLs) everyone using
|>OpenLDAP must be able to read and understand all the ACL code before
|>setting up an OpenLDAP server?
|>If this is the case, now we can see why:
|>- -relatively few people successfully deploy OpenLDAP
|>- -many of those that do have flawed installations
|>- -samba people will be implementing an LDAP-like db (since they consider
|>setting openldap up as too difficult for typical samba admins) instead
|>of just using openldap directly
|>(of course, having slapacl should hopefully improve matters)
| no; all that is required (maybe some details are still missing:
| sets, some permissions on some attributes for very special
| operations) is in slapd.access(5), at least that of the latest 2.2;
| I wrote code because (it's obvious) that's the definite source
| of information.  It's not simply a silly comment: I'm the one who
| wrote slapd.access(5), because I was sick of having to find out how
| ACLs worked, and I had to spend some time looking at the code
| and running tests to write it.  I know it's not easy to read and
| to use, but at least it's (almost) complete.  I don't pretend every
| user to read the code, but if you really need something, that's
| the way to go, and if more people did it, and documented the findings,
| open-source software would me much easier to use.  Then I wrote
| slapacl, because I was sick of running slapd to see if my ACLs were
| right.  It should be dependable, because it uses 99% of the code that
| slapd uses, and reads exactly the same configuration that will be read
| by slapd, and so on.

Of course, I'm currently referring to 2.1.x, you're referring to 2.2.x,
but most likely RH (ie Enterprise 4) will ship 2.1.x (considering they
shipped 2.0.27 on Enterprise 3), so it's a long way before your efforts
have an effect (expecpt that hopefully we will have 2.2.x for Mandrake
10.1, and hopefully we will have cyrus-sasl built against heimdal).

I will be migrating all my own boxes to 2.2.x very soon (and doing all
the work to try and make upgrades from 2.1 liveable for users as well),
which should help matters (and my ACL understanding).

Ahh, BTW, I found one of the sources of at least two of my mistakes in
slapd.acces(5) from 2.1.x:

|        To match the desired subtree, the rule would be more precisely
|             access to dn.regex="^(.+,)?dc=example,dc=com$$"
|                  by ...

Can I plead being misled by the documentation?


- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org