As documented in slapd.access man page:
Lists of access directives are evaluated in the order they appear in
slapd.conf. When a <what> clause matches the datum whose access is
being evaluated, its <who> clause list is checked. When a <who> clause
matches the accessor's properties, its <access> and <control> clauses
are evaluated. Access control checking stops at the first match of the
<what> and <who> clause, unless otherwise dictated by the <control>
clause. Each <who> clause list is implicitly terminated by a
by * none stop
This is why there needs to be a "by * break" at the end of the access
control line - otherwise access will always be denied even if additional
ACLs are added to the cn=config tree.
--
Lucid (or karmic) slapd upgrade does not really allow localroot cn=config
manage rights
https://bugs.launchpad.net/bugs/559070
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
