[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: config_back_db_open and "cannot assess the validity of the ACL scope" in openldap-devel
<quote who="Pierangelo Masarati">
> Gavin Henry wrote:
>> Hi all,
>>
>> Just playing in openldap-devel, with the next step being mirrormode, and
>> get this warning when running slapd with debug on:
>>
>> config_back_db_open: line 0: warning: cannot assess the validity of
>> the ACL scope within backend naming context
>>
>> So is this a seperate assessment outwith the normal syntax one?
>>
>> I don't quite understand the warning.
>>
> That's quite informative, and issued at a very verbose log level.
> Basically, the ACL parsing code checks whether a rule will actually be
> used with the scope it can potentially apply to. For example, if you
> place a rule
>
> access to dn.subtree="" by * read
>
> within a database with suffix "dc=example,dc=com", the rule might
> potentially apply to any DN, but since it's placed within a database
> with a non-empty suffix, it will only apply to
> dn.subtree="dc=example,dc=com". So the ACL designer might be fooled
> into believing that it will apply to any entry while it won't. This
> doesn't mean that the ACL is wrong: it will do what's intended for;
> that's why the warning is informative. In some cases, the ACL parsing
> code cannot determine the scope of a rule (for example, when regular
> expressions are involved); this causes the specific warning you see. If
> you understood the ACL syntax and you believe your ACLs are correct, you
> can safely ignore that warning.
Understood, thanks.
Gavin.
>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office: +39.02.23998309
> Mobile: +39.333.4963172
> Email: pierangelo.masarati@sys-net.it
> ------------------------------------------
>
>