[Date Prev][Date Next] [Chronological] [Thread] [Top]

group ACL Problems, disallow deletion of an object

With openldap 2.1.30 (debin sarge) if I use ACLs that restrict access to certain groups if those groups do not exist when accessing the (protected) objects slapd crashes and corrupts the database.

access to dn=".*,dc=test,dc=org"
by group/groupOfMailEnhancedUniqueNames/uniqueMember="cn=admin.mailforward,ou=groups,dc=test,dc=org" write
by * read

slapd: /home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/servers/slapd/result.c:455: slap_send_ldap_result: Assertion `!(((0x51) <= ((err))) && (((err)) <= (0x61)))&& ( err >= 0 )' failed

As a workaround I would like to protect those groups from being deleted/moved to ensure that they exist and the database does not crash. But (write) access to their attributes still has to work. How do I allow to modify attributes but not to delete the whole object?

2 ACLs, one with each possible attribute in the attribute line and the rule that allows to write followed by one without an attribute line with read permissions?

BTW: is anybody aware of a patch/fix for the upper problem (which would obviously make my workaround obsolete)?

Thanks, Oliver