[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Wishes for set ACLs

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: Wishes for set ACLs
From: Lee Jensen <lee_jensen@sento.com>
Date: Thu, 17 Mar 2005 13:53:05 -0700
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, openldap-devel@OpenLDAP.org
In-reply-to: <4239D9D4.2030607@sys-net.it>
References: <hbf.20050317w1pw@bombur.uio.no> <6.2.1.2.0.20050317080103.05ad3480@mail.openldap.org> <4239D9D4.2030607@sys-net.it>

I have never done testing on this but I am wondering if there is any
kind of infinite loop problem with the attribute recursion feature. For
instance if I have a group of names

cn=foo (containing cn=foo2)

and 

cn=foo2 (containing cn=foo)

Anyone know what happens in this case?

I assume it's smart enough to skip entries that are already in the set
and not recurse them.

Lee

On Thu, 2005-03-17 at 20:26 +0100, Pierangelo Masarati wrote:
> Kurt D. Zeilenga wrote:
> 
> >At 07:36 AM 3/17/2005, Hallvard B Furuseth wrote:
> >  
> >
> >>I've got a few wishes for set acls. 
> >>    
> >>
> >
> >I have one...
> >
> >1) avoid deadlock conditions
> >
> >  
> >
> It is unclear to me how deadlock could arise when using sets; value 
> collection occurs via backend_attribute(), so, unless this function 
> suffers from the problem, I don't see room for deadlocks.  For instance, 
> I assume that to cause a potential deadlock I should dereference an 
> entry whose access control is being checked.  For the purpose, I wrote 
> the following (trivial, useless) set-based rule, using test003 data:
> 
> access to dn.exact="cn=Bjorn Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com"
>     by set="[cn=all staff,ou=groups,dc=example,dc=com]/member/uid & 
> this/uid" read
>     by * auth
> 
> This should cause the entry "cn=Bjorn Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com" to be dereferenced (to lookup the 
> "uid" attribute) while being checked for access.  Well, this works fine 
> even under heavy load (multiple clients simultaneously and repeatedly 
> accessing that entry).
> 
> Even the URI form:
> 
> access to dn.exact="cn=Bjorn Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com"
>     by set="[ldap:///dc=example,dc=com??sub?(uid=bjorn)]/uid & this/uid" 
> read
>     by * auth
> 
> which directly issues an internal search, in principle might incur in a 
> deadlock, but it doesn't.
> 
> Could you elaborate more on the issue?
> 
> p.
> 
> 
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>

Follow-Ups:
- Re: Wishes for set ACLs
  - From: Howard Chu <hyc@symas.com>

References:
- Wishes for set ACLs
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Wishes for set ACLs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Wishes for set ACLs
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Wishes for set ACLs
Next by Date: 2.3.1alpha and ACL set matching
Index(es):
- Chronological
- Thread