Quoting Pierangelo Masarati ando@sys-net.it:
On the contrary, using "[all]" works as expected.
With this I take it that '[all]' isn't supposed to give you access to the entry itself? I'm not supprised actually, it kind'a makes sence - why else have 'entry'? :)
I've fixed that in re23.
Thanx a lot! I tried to do that myself (just take aci.c from HEAD), but that had way to many other changes so I gave up on that. And I wasn't quite sure where/what to take... Looked a little to much 'internal OpenLDAP magic' to me :).
Much like in HEAD, now "[entry]" is tolerated in input, but it gets normalized into "entry" (so don't get surprised nor disappointed when you look at your newly added ACIs). Further checking always uses "entry".
I don't care either way actually. Either is fine by me. For future use (re24), which should I use?
You should note some other odds in input/output, since normalization/prettification is consistently used on ACI values. You might also notice some performance improvement, since now access checking heavily relies on the presence of normalized values.
Sorry, but can you take that again, slower? :) I'm not going to say it looked like greek - I don't want to have my head bitten of, or a greek dictionary shoved down my thought :) But either I'm very tired, or I'm not myself today...
Normalization rules shouldn't have changed, so there should be no need to dump/reload your database.
Between re22 and re23? Or re23 and re24? I did the dump/reload because I took my production database and tried to load it on my development platform so I could test out re23... And I actually think I'll wait with the upgrade of the production machines until I've helped out testing re24...
The multiple attribute feature is gone in 2.3 (it's back in 2.4: see ITS#4759).
Thanx. Since re23 'is near end of life', I'll just play with 2.3 on my development platform(s) and wait/helpt test for re24...
However, 2.3 and later have another feature: you can add multiple sets of "perms;attr" groups, like
openldapaci: 0#entry#grant;w,r,s,c;entry;r,s,c;objectClass#public#
That I saw both in the source and in the example/test script. But I found that even worse/uglier so I'll stick with the single attribute per 'line' (for playing with new features in 2.3 - preparing myself for 2.4).