On Sunday 06 July 2008 10:30:01 openldap wrote: > Hi listers > > i observed the following: > > in openldap version 2.3.39 the following was acceptable: > the access control statements for an ldap-database follow the definition > of the database, i.e. in the slapd.conf file (and its includes) you > could have the following sequence: > > <general section> > <database1 secion> > <access-control section to database1> > <database2 section> > <access-control section to database2> > ... > > > in openldap-version 2.4.8-3, however, the above sequence is no longer > accepted, all access-controls must be in the general-section: > the access-control, you get in this case, is the default one: "everyone > authenticated can read everything", i.e. your access-controls are > silently disregarded.
This is not the behaviour I am seeing (on Mandriva's 2.4.8-3mdv2008.1 package). I have some global ACLs (access to dn.exact=""....., access to dn.exact="cn=Subschema"), and inside my database definition I have the database-specific ACLs, and they are being applied correctly. > you don't find a hint what's wrong with your access control, neither in > the log nor on the error output. only after increasing the debug level > to -d255 (-d15 is not sufficient), when starting slapd, you get > "warning: ACL appears to be out of scope within backend naming context". The fact that you list this warning doesn't match with your statement above about your current configuration. Regards, Buchan
