[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6468) ACLs in subordinate databases can be ignored

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6468) ACLs in subordinate databases can be ignored
From: rein@OpenLDAP.org
Date: Tue, 2 Feb 2010 15:52:38 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 02/02/2010 04:25 PM, Hallvard B Furuseth wrote:
> Hold on.  Is the current behavior self-consistent, i.e. one could call
> it an undocumented feature?  If so someone may have noticed this and
> written their ACLs accordingly.  It's not friendly to change the
> meaning of existing installations' ACLs in the middle of RE24.
>
> OTOH if current behavior is broken even as a "feature", fix away.
> E.g. if clients can choose which ACLs will apply in the subordinate
> by picking a base DN inside vs outside the subordinate.

 From my analyzis of the problem, the subordinate ACLs are used in all 
cases except when syncprov desides which "live" modifications it should 
replicate to its consumers.  Searching with the credentials used by the 
syncrepl consumer gives me the attributes and entries my subordinate 
ACLs allows, and they are replicated during the refresh phase.  But 
access to entries and/or attributes being modified during the persistent 
phase are rejected.

But yes, the change should be analyzed by somebody else before being 
included in a release.

Rein

Prev by Date: Re: (ITS#6468) ACLs in subordinate databases can be ignored
Next by Date: (ITS#6469) push replication entryCSN of database suffix out of sync
Index(es):
- Chronological
- Thread