/* dealt with separately; don't let it get to bindconf */
;
+ } else if(!strncasecmp(c->argv[i], "host=", STRLENOF("host="))) {
+ /* dealt with separately; don't let it get to bindconf */
+ ;
+
} else if(!strncasecmp(c->argv[i], "suffix=", STRLENOF( "suffix="))) {
switch(add_replica_suffix(c->be, nr, c->argv[i] + STRLENOF("suffix="))) {
case 1:
return 1;
cfb = be->be_private;
+ be->be_dfltaccess = ACL_NONE;
/* If no .conf, or a dir was specified, setup the dir */
if ( !fname || dir ) {
/* No parent, must be root. This will never happen... */
if ( !last && !be_isroot( op ) && !be_shadow_update( op ))
return LDAP_NO_SUCH_OBJECT;
- if ( !access_allowed( op, last->ce_entry, slap_schema.si_ad_children,
- NULL, ACL_WADD, NULL ))
+ if ( last && !access_allowed( op, last->ce_entry,
+ slap_schema.si_ad_children, NULL, ACL_WADD, NULL ))
return LDAP_INSUFFICIENT_ACCESS;
}
}
#endif
+static const char *defacl[] = {
+ NULL, "to", "*", "by", "*", "none", NULL
+};
+
static int
config_back_db_open( BackendDB *be )
{
void *thrctx = NULL;
Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0);
+
+ /* If we have no explicitly configured ACLs, don't just use
+ * the global ACLs. Explicitly deny access to everything.
+ */
+ if ( frontendDB->be_acl && be->be_acl == frontendDB->be_acl ) {
+ parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 );
+ }
+
/* If we read the config from back-ldif, nothing to do here */
if ( cfb->cb_got_ldif )
return 0;