Comment 11 for bug 538516
Revision history for this message
| Nathan Stratton Treadway (nathanst) wrote | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Using this new version of the slapd.postinst script, the "cn=config" database ends up with these two oldAccess attributes:
$ sudo slapcat -b"cn=config" -s"olcDatabase=
olcAccess: {0}to * by * none
olcAccess: {1}to * by dn.exact=
As far as I understand the OpenLDAP Access Control documentation, in this scenario the {0} line will always take precedence over the {1} line (so that the later will just be ignored). It seems like the two separate directives should instead be combined into one, something like:
olcAccess: {0}to * by dn.exact=
I haven't yet managed to find any discussion of the exact goals behind adding the various "localroot" access directives into the slapd configuration, so I'm not sure what sort of testing I can do to confirm that my understanding is correct.
But I figured I would go ahead and submit this comment now, in hopes that someone who knows more about why this logic was added to the script in version 2.4.17-1ubuntu3 can check to see if this new version of the script is still having the desired effect....