[Kolab-devel] [issue2498] slapd.access dont scall well over 50 domains

[Alain Spineux]

New submission from Alain Spineux <alain.spineux at gmail.com>:

The way slapd.access is generated by kolabconf,
dont allow more than about 50 domains.

This is because openldap don't allow access rules
bigger than 8192 chars.

I wrote a patch to split the first rules, one domain at
a time. I use "break" and "stop" keyword.

The main problem is that openldap segfault if the rule
is >8192 char !

Here is the result 

# Access to domain groups
access to dn.children="cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
        by
group/kolabGroupOfNames="cn=admin,cn=internal,dc=eg01,dc=emailgency,dc=loc" write
        by
group/kolabGroupOfNames="cn=maintainer,cn=internal,dc=eg01,dc=emailgency,dc=loc"
write
        by dn="cn=nobody,cn=internal,dc=eg01,dc=emailgency,dc=loc" read
        by * break

# Access to domain groups continue
access to dn.children="cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
        by
group/kolabGroupOfNames="cn=eg01.emailgency.loc,cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
read
        by * break

# Access to domain groups continue
access to dn.children="cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
        by
group/kolabGroupOfNames="cn=mydomain.loc,cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
read
        by * break

# Access to domain groups continue
access to dn.children="cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
        by
group/kolabGroupOfNames="cn=alpha.loc,cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
read
        by * break

... some more domain definitions ...

# Access to domain groups end
access to dn.children="cn=domains,cn=internal,dc=eg01,dc=emailgency,dc=loc"
         by * search stop

----------
files: kolab-2.2rc1-slapd-access-split-domain.patch
messages: 13785
nosy: alain.spineux at gmail.com
priority: bug
status: unread
title: slapd.access dont scall well over 50 domains
topic: server
___________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://www.intevation.de/roundup/kolab/issue2498>
___________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kolab-2.2rc1-slapd-access-split-domain.patch
Type: application/octet-stream
Size: 1763 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20080227/0a7eb4c0/attachment.obj>