Andrew Bartlett wrote:
The fix was to define rootdn globally (as the module operates globally), and then to give it explicit manage access in an ACL. eg
I didn't even know that was possible at all.
access to dn.subtree="${DOMAINDN}" by dn=cn=samba-admin,cn=samba manage by dn=cn=manager manage by * none
rootdn cn=Manager
Adding a rootdn to each database then quashed the warnings about 'rootdn can always manage'.
Shall I file an ITS?
I need to investigate it a little bit more. But filing an ITS could be a starting point, as the issue could get hairy.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------