|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Display Modes |
Web Development Archives Sponsor:
|
|
|
|
#1
July 6th, 2008, 12:01 PM
|
|||
|
|||
|
incompatible access control between versions
Hi listers
i observed the following: in openldap version 2.3.39 the following was acceptable: the access control statements for an ldap-database follow the definition of the database, i.e. in the slapd.conf file (and its includes) you could have the following sequence: <general section> <database1 secion> <access-control section to database1> <database2 section> <access-control section to database2> in openldap-version 2.4.8-3, however, the above sequence is no longer accepted, all access-controls must be in the general-section: the access-control, you get in this case, is the default one: "everyone authenticated can read everything", i.e. your access-controls are silently disregarded. you don't find a hint what's wrong with your access control, neither in the log nor on the error output. only after increasing the debug level to -d255 (-d15 is not sufficient), when starting slapd, you get "warning: ACL appears to be out of scope within backend naming context". i would rather have liked to see an error "access control error " on the error output when starting slapd, and the start failing alltoghether. suomi
|
|
#2
July 8th, 2008, 12:01 PM
|
|||
|
|||
|
incompatible access control between versions
Sunday 06 July 2008 10:30:01 openldap wrote:
Hi listers > i observed the following: > in openldap version 2.3.39 the following was acceptable: the access control statements for an ldap-database follow the definition of the database, i.e. in the slapd.conf file (and its includes) you could have the following sequence: > <general section> <database1 secion> <access-control section to database1> <database2 section> <access-control section to database2> > > in openldap-version 2.4.8-3, however, the above sequence is no longer accepted, all access-controls must be in the general-section: the access-control, you get in this case, is the default one: "everyone authenticated can read everything", i.e. your access-controls are silently disregarded. This is not the behaviour I am seeing (on Mandriva's 2.4.8-3mdv2008.1 package). I have some global ACLs (access to dn.exact="", access to dn.exact="cn=Subschema"), and inside my database definition I have the database-specific ACLs, and they are being applied correctly. you don't find a hint what's wrong with your access control, neither in the log nor on the error output. only after increasing the debug level to -d255 (-d15 is not sufficient), when starting slapd, you get "warning: ACL appears to be out of scope within backend naming context". The fact that you list this warning doesn't match with your statement above about your current configuration. Regards, Buchan
|
|
| Viewing: Web Development Archives > Mailing Lists > Networking > incompatible access control between versions |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
