--On Friday, October 07, 2005 5:29 PM -0700 Jeffrey Froman
<[EMAIL PROTECTED]> wrote:
I am upgrading from openldap-2.1.22 to openldap-2.2.23, and I am having
some difficulty getting the ACLs to a state that the new version is
happy with. Can anyone describe (or point me to a document that
describes) the ACL syntax differences between these versions? My
searches have so far have produced only fragmentary results.
What I've learned so far: I found I needed to change "access to dn=" to
"access to dn.regex=" when the dn contained any regular expression
syntax. After making this change, slapd starts without complaint, but it
appears that my "by group=" access rules are not being used, if I am
interpreting the slapd logging output correctly.
I also changed "attr=" to "attrs=" for each ACL.
Other possibly relevant information: Some of the group identifiers
contain references to a match group in dn.regex, such as:
access to dn.regex="dc=([^,]+),o=([^,]+)"
by group="cn=admin,ou=sys,o=$2"
You probably want
by group.expand="......"
See the slapd.access man page.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin
