[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with slapcat/slapadd in upgrade from 2.2.23 to 2.3.11



to den 20.10.2005 Klokka 23:24 (+0200) skreiv Pierangelo Masarati:

On Thu, 2005-10-20 at 13:29 -0700, Charles Stephens wrote:
> Is there a reference on ACI syntax? What is wrong with this specific > entry?


There is no formal specification (yet); values that used to be legal are
still legal, and few extensions have been added in HEAD.  Of course,
ACIs need to be explicitly enabled by using --enable-aci at configure.

I don't see anything strange at a first glance.  Maybe enabling enough
debugging when slapadd'ing that specific value may enlight a bit.

If your intention is to use a custom group objectClass "dnGroup", I
think the trailing "/dnGroup" should be put after "group" instead, i.e.

OpenLDAPaci: 1#entry#grant;w;
[all]#group/dnGroup#cn=sysops,ou=application,ou=groups,dc=cowlabs,dc=com

and of course you need to make sure that the objectClass "dnGroup" is
defined.

Personally I've never even attempted to use ACIs, having originally been warned off it by the docs and Adam's pdf HOWTO.

Now with 2.3's cn=config and a recently patched GQ (details on the GQ
mailing list) I can change ACLs on the fly from the GUI. Why would
people want to persist with ACIs, especially having been warned off them
in the first place?

--Tonni

--
Mail: tonye@billy.demon.nl
http://www.billy.demon.nl