[Date Prev][Date Next]
Hallvard B Furuseth wrote:
Pierangelo Masarati writes:ACI is enabled at compile by defining --enable-aci; then, to enable it,
you need to add
Ted Kaczmarek wrote:
Is openldap with aci enabled still considered development?(...) In 2.3, some effort is being put in determining if they
suffer from deadlocking, and apparently they don't; I cannot say the
same for erlier releases because no such testing has been done
I thought that was 'access ... by set='. It's 'by aci' too?
by aci[=<aciAttributeDescription>] <access>
where <aciAttributeDescription> is the attribute that contains the rules
and <access> are the privileges that the rules are allowed to change; if
you want to allow changing all privileges you need to use "write";
otherwise, the resulting mask of privileges changed by ACIs is &-ed with
the privileges defined by <access>.
ACIs have very little (if any) to do with sets.
Note that in 2.3 ACI support has been moved under the umbrella of
"dynacl", which is a frmework for pluggable access controls; the syntax
in this case is
by dynacl/<type>[.<style>][=pattern] <access>
if <type> is "aci", then the regular ACIs are used (I haven't isolated
their code enough to allow their loading run-time, so they're still
static). Of course, the old yntax is recognized. This is (almost)
totally undocumented, except the ACI entry in the FAQ
<http://www.openldap.org/faq/data/cache/634.html>, because it's
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
- From: Ted Kaczmarek <firstname.lastname@example.org>
- Re: ACI?
- From: Pierangelo Masarati <email@example.com>
- Re: ACI?
- From: Hallvard B Furuseth <firstname.lastname@example.org>