[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3



Quoting Pierangelo Masarati <ando@sys-net.it>:

> On the contrary, using "[all]" works as expected.

With this I take it that '[all]' isn't supposed to give you access
to the entry itself?
I'm not supprised actually, it kind'a makes sence - why else have 'entry'? :)

> I've fixed that in re23.

Thanx a lot! I tried to do that myself (just take aci.c from HEAD), but
that had way to many other changes so I gave up on that. And I wasn't
quite sure where/what to take... Looked a little to much 'internal OpenLDAP
magic' to me :).

> Much like in HEAD, now "[entry]" is tolerated
> in input, but it gets normalized into "entry" (so don't get surprised
> nor disappointed when you look at your newly added ACIs).  Further
> checking always uses "entry".

I don't care either way actually. Either is fine by me. For future
use (re24), which should I use?

> You should note some other odds in input/output, since
> normalization/prettification is consistently used on ACI values.  You
> might also notice some performance improvement, since now access
> checking heavily relies on the presence of normalized values.

Sorry, but can you take that again, slower? :)
I'm not going to say it looked like greek - I don't want to have my head
bitten of, or a greek dictionary shoved down my thought :)
But either I'm very tired, or I'm not myself today...

> Normalization rules shouldn't have changed, so there should be no need
> to dump/reload your database.

Between re22 and re23? Or re23 and re24?
I did the dump/reload because I took my production database and tried to
load it on my development platform so I could test out re23... And I
actually think I'll wait with the upgrade of the production machines until
I've helped out testing re24...

> The multiple attribute feature is gone in 2.3 (it's back in 2.4: see
> ITS#4759).

Thanx. Since re23 'is near end of life', I'll just play with 2.3 on
my development platform(s) and wait/helpt test for re24...

>  However, 2.3 and later have another feature: you can add
> multiple sets of "perms;attr" groups, like
>
> openldapaci: 0#entry#grant;w,r,s,c;entry;r,s,c;objectClass#public#

That I saw both in the source and in the example/test script. But I
found that even worse/uglier so I'll stick with the single attribute
per 'line' (for playing with new features in 2.3 - preparing myself
for 2.4).