https://bugs.openldap.org/show_bug.cgi?id=10299
--- Comment #6 from Howard Chu hyc@openldap.org --- (In reply to Ondřej Kuzník from comment #2)
Hi Greg, thanks for the report and configuration. The crash comes down to you having ACLs with group membership testing needs to pull the group entry but with the DB not being initialised due to dry-run (-u) you'll see the crash.
Don't know if there is a way to refuse this if a group ACL is encountered in dry-run mode, Howard?
Currently no, there's no way to stop the processing. At most we can return an error when trying to process the group ACL, which will only result in ACL processing continuing on to the next defined ACL. As such, you'll get a result from slapacl but it will probably be incorrect.
I guess we could have slapacl pre-check all of the relevant ACLs to see if any of them reference any groups, and fail immediately, when dryrun is specified. There's no relevant code that does any similar check right now.