[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: incompatible access control between versions

On Sunday 06 July 2008 10:30:01 openldap wrote:
> Hi listers
> i observed the following:
> in openldap version 2.3.39 the following was acceptable:
> the access control statements for an ldap-database follow the definition
> of the database, i.e. in the slapd.conf file (and its includes) you
> could have the following sequence:
> <general section>
> <database1 secion>
> <access-control section to  database1>
> <database2 section>
> <access-control section to database2>
> ...
> in openldap-version 2.4.8-3, however, the above sequence is no longer
> accepted, all access-controls must be in the general-section:
> the access-control, you get in this case, is  the default one: "everyone
> authenticated can read everything", i.e. your access-controls are
> silently disregarded.

This is not the behaviour I am seeing (on Mandriva's 2.4.8-3mdv2008.1 
package). I have some global ACLs (access to dn.exact=""....., access to 
dn.exact="cn=Subschema"), and inside my database definition I have the 
database-specific ACLs, and they are being applied correctly.

> you don't find a hint what's wrong with your access control, neither in
> the log nor on the error output. only after increasing the debug level
> to -d255 (-d15 is not sufficient), when starting slapd, you get
> "warning: ACL appears to be out of scope within backend naming context".

The fact that you list this warning doesn't match with your statement above 
about your current configuration.