Quoting Pierangelo Masarati <[EMAIL PROTECTED]>: > On the contrary, using "[all]" works as expected.
With this I take it that '[all]' isn't supposed to give you access to the entry itself? I'm not supprised actually, it kind'a makes sence - why else have 'entry'? :) > I've fixed that in re23. Thanx a lot! I tried to do that myself (just take aci.c from HEAD), but that had way to many other changes so I gave up on that. And I wasn't quite sure where/what to take... Looked a little to much 'internal OpenLDAP magic' to me :). > Much like in HEAD, now "[entry]" is tolerated > in input, but it gets normalized into "entry" (so don't get surprised > nor disappointed when you look at your newly added ACIs). Further > checking always uses "entry". I don't care either way actually. Either is fine by me. For future use (re24), which should I use? > You should note some other odds in input/output, since > normalization/prettification is consistently used on ACI values. You > might also notice some performance improvement, since now access > checking heavily relies on the presence of normalized values. Sorry, but can you take that again, slower? :) I'm not going to say it looked like greek - I don't want to have my head bitten of, or a greek dictionary shoved down my thought :) But either I'm very tired, or I'm not myself today... > Normalization rules shouldn't have changed, so there should be no need > to dump/reload your database. Between re22 and re23? Or re23 and re24? I did the dump/reload because I took my production database and tried to load it on my development platform so I could test out re23... And I actually think I'll wait with the upgrade of the production machines until I've helped out testing re24... > The multiple attribute feature is gone in 2.3 (it's back in 2.4: see > ITS#4759). Thanx. Since re23 'is near end of life', I'll just play with 2.3 on my development platform(s) and wait/helpt test for re24... > However, 2.3 and later have another feature: you can add > multiple sets of "perms;attr" groups, like > > openldapaci: 0#entry#grant;w,r,s,c;entry;r,s,c;objectClass#public# That I saw both in the source and in the example/test script. But I found that even worse/uglier so I'll stick with the single attribute per 'line' (for playing with new features in 2.3 - preparing myself for 2.4).
