Turbo Fredriksson wrote:
By quickly reading the code, it seems that the effect you desire is obtained by setting no attribute type, or by using "entry" instead of "[entry]".
Neither of this work. The first with 'no write access to entry' and the second with 'openldapaci: value #0 invalid per syntax'.
A more careful pass thru the code shows that actually, "[entry]" is not tolerated by normalization functions, while "entry" is. But later on, checking for "entry" is turned into "[entry]" (catch 22?).
On the contrary, using "[all]" works as expected.
I've fixed that in re23. Much like in HEAD, now "[entry]" is tolerated in input, but it gets normalized into "entry" (so don't get surprised nor disappointed when you look at your newly added ACIs). Further checking always uses "entry".
You should note some other odds in input/output, since normalization/prettification is consistently used on ACI values. You might also notice some performance improvement, since now access checking heavily relies on the presence of normalized values.
Normalization rules shouldn't have changed, so there should be no need to dump/reload your database.
The multiple attribute feature is gone in 2.3 (it's back in 2.4: see ITS#4759). However, 2.3 and later have another feature: you can add multiple sets of "perms;attr" groups, like
openldapaci: 0#entry#grant;w,r,s,c;entry;r,s,c;objectClass#public#
and so on.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------