[Date Prev][Date Next] [Chronological] [Thread] [Top]

Global ACLs - Impacts access control and SLAPI (ITS#3100)



Full_Name: Pierangelo Masarati
Version: HEAD
OS: (irrelevant)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Submitted by: ando


Global ACLs - Impacts access control and SLAPI

If i read it correctly, I notice that the global_acl are never used, because if
access_allowed is called when o_bd is NULL, the ACLs of the first backend are
used instead; then, until the end of access_alowed, the o_bd member remains set
to this value.  I don't think this is correct; apparently it is done to invoke
slapi ACL code, but this inhibits the use of global ACLs in the rest of the
code.  I fixed this to allow the operation only within slapi code, and restore
the global_acl usage.  If any other code needs o_bd to be set to a "fake"
backend for auth purposes, I'd rather favour the use of a fake BackendDB
structure with be_acl member set to global_acl.  In my global overlay patch
(ITS#3080), this is addressed by defining a global BackendDB structure that
holds global stuff, and can be addressed by o_bd while no backend is selected
yet.  

I'll commit the fix in a moment; please review because I'm not sure i did it
correctly, and ACLs are critical.

Ando.