[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
group ACL Problems, disallow deletion of an object
With openldap 2.1.30 (debin sarge) if I use ACLs that restrict access to
certain groups if those groups do not exist when accessing the
(protected) objects slapd crashes and corrupts the database.
*example*
access to dn=".*,dc=test,dc=org"
attribute=gosaMailForwardingAddress
by
group/groupOfMailEnhancedUniqueNames/uniqueMember="cn=admin.mailforward,ou=groups,dc=test,dc=org"
write
by * read
slapd:
/home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/servers/slapd/result.c:455:
slap_send_ldap_result: Assertion `!(((0x51) <= ((err))) && (((err)) <=
(0x61)))&& ( err >= 0 )' failed
As a workaround I would like to protect those groups from being
deleted/moved to ensure that they exist and the database does not crash.
But (write) access to their attributes still has to work. How do I allow
to modify attributes but not to delete the whole object?
2 ACLs, one with each possible attribute in the attribute line and the
rule that allows to write followed by one without an attribute line with
read permissions?
BTW: is anybody aware of a patch/fix for the upper problem (which would
obviously make my workaround obsolete)?
Thanks,
Oliver