[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: config_back_db_open and "cannot assess the validity of the ACL scope" in openldap-devel

<quote who="Pierangelo Masarati">
> Gavin Henry wrote:
>> Hi all,
>> Just playing in openldap-devel, with the next step being mirrormode, and
>> get this warning when running slapd with debug on:
>>     config_back_db_open: line 0: warning: cannot assess the validity of
>> the ACL scope within backend naming context
>> So is this a seperate assessment outwith the normal syntax one?
>> I don't quite understand the warning.
> That's quite informative, and issued at a very verbose log level.
> Basically, the ACL parsing code checks whether a rule will actually be
> used with the scope it can potentially apply to.  For example, if you
> place a rule
> access to dn.subtree="" by * read
> within a database with suffix "dc=example,dc=com", the rule might
> potentially apply to any DN, but since it's placed within a database
> with a non-empty suffix, it will only apply to
> dn.subtree="dc=example,dc=com".  So the ACL designer might be fooled
> into believing that it will apply to any entry while it won't.  This
> doesn't mean that the ACL is wrong: it will do what's intended for;
> that's why the warning is informative.  In some cases, the ACL parsing
> code cannot determine the scope of a rule (for example, when regular
> expressions are involved); this causes the specific warning you see.  If
> you understood the ACL syntax and you believe your ACLs are correct, you
> can safely ignore that warning.

Understood, thanks.


> p.
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------