/* get the acl */
acl_info[0] = '\0';
if (acl_reason->deciding_aci) {
if (acl_reason->reason == ACL_REASON_RESULT_CACHED_DENY ||
acl_reason->reason == ACL_REASON_RESULT_CACHED_ALLOW) {
/* acl is in cache. Its detail must have been printed before.
* So no need to print out acl detail this time.
*/
PR_snprintf( &acl_info[0], BUFSIZ, "%s by aci(%d)",
access_reason,
acl_reason->deciding_aci->aci_index);
}
else {
PR_snprintf( &acl_info[0], BUFSIZ, "%s by aci(%d): aciname=%s, acidn=\"%s\"",
access_reason,
acl_reason->deciding_aci->aci_index,
acl_reason->deciding_aci->aclName,
slapi_sdn_get_ndn (acl_reason->deciding_aci->aci_sdn) );
}
}
Looking at logs i've posted formely it seems to me that aci's are not cached hence "cached allow by aci(7)" entries in logs. According to the code above if they were cached there would be an "cached context/parent allow" in log (ACL_REASON_RESULT_CACHED_ALLOW would evaluate to true).
I dug through documentation but still there's no trace of a property in "cn=config" etc i'm missing that would fix that.