I am upgrading from openldap-2.1.22 to openldap-2.2.23, and I am having
some difficulty getting the ACLs to a state that the new version is
happy with. Can anyone describe (or point me to a document that
describes) the ACL syntax differences between these versions? My
searches have so far have produced only fragmentary results.
What I've learned so far: I found I needed to change "access to dn=" to
"access to dn.regex=" when the dn contained any regular expression
syntax. After making this change, slapd starts without complaint, but it
appears that my "by group=" access rules are not being used, if I am
interpreting the slapd logging output correctly.
I also changed "attr=" to "attrs=" for each ACL.
Other possibly relevant information: Some of the group identifiers
contain references to a match group in dn.regex, such as:
access to dn.regex="dc=([^,]+),o=([^,]+)"
by group="cn=admin,ou=sys,o=$2"