acls with identical access definitions are not implemented correctly #420
Description
How to reproduce (e.g Puppet code you use)
Adding an acl before another with identical 'what' doesn't update olcaccess 'to', and results in duplicate acl's
Example (openldap::server::acces_wrapper)
Altering
ldapserver::access:
- to attrs=ugentPostalAddress:
- by * read
to
- to filter=(objectClass=ugentEntitlement):
- by * read
- to attrs=ugentPostalAddress:
- by * read
What are you seeing
puppet logs
Notice: /Stage[main]/Ldapserver/Openldap::Server::Access_wrapper[dc=UGent,dc=be]/Openldap::Server::Iterate_access[0 on dc=UGent,dc=be]/Openldap::Server::Access[0 on dc=UGent,dc=be]/Openldap_access[0 on dc=UGent,dc=be]/what: what changed 'attrs=ugentPostalAddress' to 'filter=(objectClass=ugentEntitlement)'
Notice: /Stage[main]/Ldapserver/Openldap::Server::Access_wrapper[dc=UGent,dc=be]/Openldap::Server::Iterate_access[1 on dc=UGent,dc=be]/Openldap::Server::Access[1 on dc=UGent,dc=be]/Openldap_access[1 on dc=UGent,dc=be]/ensure: created
Notice: Applied catalog in 0.55 seconds
slapcat
createTimestamp: 20240502203156Z
olcAccess: {0}to attrs=ugentPostalAddress by * read
olcAccess: {1}to attrs=ugentPostalAddress by * read
entryCSN: 20240503143152.471790Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20240503143152Z
Any additional information you'd like to impart
As far as I understand, this behaviour is caused by the @property_flush variabele only being set by the access method, which doesn't happen when the access directive is identical with the existing acl on that position.
I've noticed this while setting up a new ldap server for a database with 100+ acl's, where not all acl's with identical access directives (by * read f.i.) are defined in a single olcaccess directive.