[Kolab-devel] kolabGroupOfNames ACL in cn=domains,cn=internal
Jeroen van Meeuwen (Kolab Systems)
vanmeeuwen at kolabsys.com
Tue Mar 15 12:59:40 CET 2011
Hello,
I'm working to solve an issue experienced in situations with many, many
domains, where slapd segfaults not being able to digest the generated
slapd.access.
Presumably, the access control entry distilled using $dom_acl2 becomes too
large for slapd to read in one go, and kthxbye! goes slapd.
Looking at rebuilding the access control entries in a different way that slapd
may be able to cope with, I find that -please correct me if I'm wrong- all
groups under cn=domains,cn=internal, may read one another, and I'm wondering
why that is.
I was thinking of putting down an ACL further restricting access so that a
domain group could only read that very same domain group:
access to dn.regex="^(.+,)?cn=([^,]+),cn=domains,cn=internal,"
(... admin and service access ...)
by group/kolabGroupOfNames="cn=$2,cn=domains,cn=internal," read
by * search stop
Thoughts?
Kind regards,
Jeroen van Meeuwen
--
Senior Engineer, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
t: +316 42 801 403
w: http://www.kolabsys.com
pgp: 9342 BF08
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/devel/attachments/20110315/f2b02267/attachment.html>
More information about the devel
mailing list