Re: Problems with slapcat/slapadd in upgrade from 2.2.23 to 2.3.11

[Tony Earnshaw <billy@billy.demon.nl>]

to den 20.10.2005 Klokka 23:24 (+0200) skreiv Pierangelo Masarati:

> On Thu, 2005-10-20 at 13:29 -0700, Charles Stephens wrote:
> > Is there a reference on ACI syntax?  What is wrong with this specific  
> > entry?
>
> There is no formal specification (yet); values that used to be legal are
> still legal, and few extensions have been added in HEAD.  Of course,
> ACIs need to be explicitly enabled by using --enable-aci at configure.
>
> I don't see anything strange at a first glance.  Maybe enabling enough
> debugging when slapadd'ing that specific value may enlight a bit.
>
> If your intention is to use a custom group objectClass "dnGroup", I
> think the trailing "/dnGroup" should be put after "group" instead, i.e.
>
> OpenLDAPaci: 1#entry#grant;w;
> [all]#group/dnGroup#cn=sysops,ou=application,ou=groups,dc=cowlabs,dc=com
>
> and of course you need to make sure that the objectClass "dnGroup" is
> defined.

Personally I've never even attempted to use ACIs, having originally been
warned off it by the docs and Adam's pdf HOWTO.

Now with 2.3's cn=config and a recently patched GQ (details on the GQ
mailing list) I can change ACLs on the fly from the GUI. Why would
people want to persist with ACIs, especially having been warned off them
in the first place?

--Tonni

--
Mail: tonye@billy.demon.nl
http://www.billy.demon.nl