I got my 2.3.32 compiled and working on saturday, and I've been playing with it since.
One thing that I stumbled on was the ACI's. I make heavy usage of that (ever since 2.0 - as a third party patch I think - or early 2.1 at least). But my database from 2.2 didn't want to load because of OpenLDAPaci problems...
This is what my aci looks like on the root object: ----- s n i p ----- OpenLDAPaci: 0#entry#grant;r,s,c;objectClass,userReference,[entry]#public# OpenLDAPaci: 1#entry#grant;r,s,c;useControls,useEzmlm,useBind9,useWebSrv,autoR eload,allowServerChange,whoAreWe,language,hostMaster,ezmlmBinaryPath,krb5Real mName,krb5AdminServer,krb5PrincipalName,krb5AdminKeytab,krb5AdminCommandPath, controlBaseDn,ezmlmAdministrator,controlsAdministrator,useACI#users# OpenLDAPaci: 2#entry#grant;w,r,s,c,x;[all]#access-id#uid=turbo,ou=People,o=Fre driksson,c=SE ----- s n i p -----
This is aparently not allowed, in many ways! You can't seem to 'stack' the attributes any more.
Well, since I don't have 'Net access in my apartment in Lisbon, I had to figure this out by trial and error. I ended up with something like this: ----- s n i p ----- OpenLDAPaci: 0#entry#grant;r,s,c;objectClass#public# OpenLDAPaci: 1#entry#grant;r,s,c;userReference#public# OpenLDAPaci: 2#entry#grant;r,s,c;[entry]#public# OpenLDAPaci: 3#entry#grant;r,s,c;useControls#users# OpenLDAPaci: 4#entry#grant;r,s,c;useEzmlm#users# OpenLDAPaci: 5#entry#grant;r,s,c;useBind9#users# OpenLDAPaci: 6#entry#grant;r,s,c;useWebSrv#users# OpenLDAPaci: 7#entry#grant;r,s,c;autoReload#users# OpenLDAPaci: 8#entry#grant;r,s,c;allowServerChange#users# OpenLDAPaci: 9#entry#grant;r,s,c;whoAreWe#users# OpenLDAPaci: 10#entry#grant;r,s,c;language#users# OpenLDAPaci: 11#entry#grant;r,s,c;hostMaster#users# OpenLDAPaci: 12#entry#grant;r,s,c;ezmlmBinaryPath#users# OpenLDAPaci: 13#entry#grant;r,s,c;krb5RealmName#users# OpenLDAPaci: 14#entry#grant;r,s,c;krb5AdminServer#users# OpenLDAPaci: 15#entry#grant;r,s,c;krb5PrincipalName#users# OpenLDAPaci: 16#entry#grant;r,s,c;krb5AdminKeytab#users# OpenLDAPaci: 17#entry#grant;r,s,c;krb5AdminCommandPath#users# OpenLDAPaci: 18#entry#grant;r,s,c;controlBaseDn#users# OpenLDAPaci: 19#entry#grant;r,s,c;ezmlmAdministrator#users# OpenLDAPaci: 20#entry#grant;r,s,c;controlsAdministrator#users# OpenLDAPaci: 21#entry#grant;r,s,c;useACI#users# OpenLDAPaci: 22#entry#grant;w,r,s,c,x;[all]#access-id#uid=turbo,ou=People,o=Fre driksson,c=SE ----- s n i p ----- which is much uglier...
But still, and this is a reall show stopper - have not been able to work around this, this don't seemed to work propperly either! It's the OID 2 that's problem here. The '[entry]' isn't allowed and I can't seem to find it in the code either. The check for it any way - all the code say is:
could be "[all]" or an attribute description
This means that i can't don't have enough access for _creating_ an object, only to _modify_ an existing one...
Creating a simple object like this: ----- s n i p ----- dn: o=phpQLAdmin_Branch_Test,c=se objectclass: top objectclass: organization o: phpQLAdmin_Branch_Test openldapaci: 0#entry#grant;w,r,s,c;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se ----- s n i p -----
Fails because of: ----- s n i p ----- adding new entry "o=phpQLAdmin_Branch_Test,c=se" ldap_add: Insufficient access (50) additional info: no write access to entry ----- s n i p -----
Adding the line: ----- s n i p ----- openldapaci: 1#entry#grant;w,r,s,c;[entry]#access-id#uid=turbo,ou=people,o=fredriksson,c=se ----- s n i p -----
Will only give me: ----- s n i p ----- ldap_add: Invalid syntax (21) additional info: openldapaci: value #1 invalid per syntax ----- s n i p -----
So... Is there a document that describes the _changes_ to previous workings of OpenLDAPaci? Or exactly how it's supposed to work now?
Also, is my initial findings that there now have to be one attribute per 'line' true? Seems very .. complicated ways of doing it... ?