Full_Name: Ryan Tandy Version: 2.4, master OS: Debian URL: Submission from: (NULL) (24.68.37.4) Submitted by: ryan

In #openldap, IsoLinCHiP noted that the following config works as intended, and asked whether it's supported:

dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.base="cn=admin,cn=config" manage by * +0 break

dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config

dn: olcDatabase={1}frontend,cn=config objectClass: olcDatabaseConfig%obobjectClass: olcFrontendConfig olcDatabase: {1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=subschema" by * read olcAccess: {2}to dn.subtree="dc=de" attrs=userPassword,userPKCS12 by * auth

dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {2}mdb olcDbDirectory: /usr/local/openldap/var/openldap-data olcRootDN: cn=admin,cn=config olcSuffix: dc=de

The current behaviour is that the additional ACLs on olcDatabase={1}frontend get appended to the frontendDB ACL just as if they'd been defined on olcDatabase={-1}frontend. Behaviour for other attributes varies: some are merged with earlier values, or overwrite them; others are rejected.

It seems to me that defining a second frontend is neither supported, nor to be depended upon, and therefore should probably be explicitly disallowed. Am I right?