Re: Limit on number of acl entries?

[Pierangelo Masarati <pmasarati@bci.it>]

Jason Bodnar wrote:

> I'm using OpenLDAP 1.2.7 and I think I've run into a limit on the number of
> entries for acls.
>
> I have a file called tivoli.acl.conf:
>
> # ACLs for slapd
>
> defaultaccess   read
> access          to attr=userpassword
>                 by self write
>                 by * none
>
> access  to attr=manager,serial,title,isManager
>         by self write
>         by dnattr=manager write
>         by dn="uid=mhogan,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=aashwort,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=eloliver,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=rhernand,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=mdaniels,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=dbreazea,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=trwilson,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=khorther,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=lscurloc,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=ropre,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=sstanbro,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=tstampke,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=ybadmus,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=jbodnar,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=rparr,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=triley,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=arobinso,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=olutz,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=ktraweek,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=SNOWHITE,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=cfreibor,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=gburt,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=HELENMC,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=lhoelck,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=jblack,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=chlavaty,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=rferguso,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=dstevens,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=kmitchel,ou=internal,ou=people,o=Tivoli Systems" write
>         by dn="uid=cgilmore,ou=internal,ou=people,o=Tivoli Systems" write
>
> If I add another by dn line to this file I get the following error:
>
> Too many tokens (max 100)
>
> So is there a limit to the number of entries you can have for acls? Does a
> newer version fix this? If not, is there a way for me to grant access like
> above but by doing it with group members?

The problem is simply a limit on the number of args one config line can
contain;
The fix is straightforward: increase the
#define MAXARGS 100
in $LDAPROOT/ldap/servers/slapd/config.c
to a more reasonable number and recompile slapd.
Remeber that a multi-line entry with lines other than the first beginning with

a space or tab are treated as a single, long line in order to allow very long
entries
in the conf file.

Regards,
Pierangelo Masarati <ando@sys-net.it>
SysNet <www.sys-net.it>