Package: slapd
Severity: normal
Hi Matthijs,
> Thanks for the patch. I came up with a different approach to this patch.
> On converting the slapd.conf to slapd.d there is an entry olcAccess
> added to olcDatabase=cn=config database, namely:
> olcAccess: {0}to * by * none
That's right, removing the automatically added olcAccess attriubte is
the other solution for cn= config, but it does not help in the presence of
other olcAccess or olcAuthzRegex statements in the local setup.
> Another olcAccess line wouldn't help as this was the first entry so
> replacing this line was the correct way. But I think your approach is
> better so I'll apply your patch and will test it.
I am sorry to disagree here.
I checked that it works before I sent my patch.
The olcAccess attributes are evaluated in numerical order of the
numbers X given inside the curly braces "{X}" that start the attribute's
values.
I used X=-1 to be sure that the olcAccess statement for cn=localroot
gets evaluated first.
BTW the same applies for olcAuthzRegex.
I have a local olcAuthzRegex based on uidNumber and gidNumber similar to
the one you use to map uidNumber=0+gidNumber=0 to cn=localroot.
With the X=-1 on my patch I made sure that the olcAuthzRegex for
cn=localroot triggers before my local configuration.
I checked it by trying to access cn=config as root (which worked)
and with my local admin account (which did not work).
Although this caused a change in the behaviour of my system I considered
the patch the best (i.e. simplest/most elegant/...) solution.
And it matches README.Debian ;-)
Best
PEter
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
