[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: commit: ldap/servers/slapd/back-bdb add.c
On Sat, 2006-05-20 at 01:36 -0700, Howard Chu wrote:
> Pierangelo Masarati wrote:
> > On Fri, 2006-05-19 at 15:31 -0700, Howard Chu wrote:
> >
> >> Test045 is broken now because it only gives the updatedn write
> >> privileges to "dn.subtree=<suffix>"; it now also needs children access
> >> to the suffix's parent. Is the code wrong (which used to explicitly
> >> allow access to the updatedn in this case) or the test's ACL?
> >>
> >
> > There shouldn't be any suffix's parent involved in access checking. The
> > suffix doesn't have any parent by definition, right? I guess checking
> > children access in this case is incorrect.
> >
>
> Well, there's some uncertainty here. You'll note that modrdn also
> requires write access to the children attr of the newsuperior, and uses
> slap_entry_root for the parent of the suffix already. And, adding
> access to dn.exact="" attrs=children by <foo>write
> fixes the test. I think this is actually the right thing, it makes
> everything consistent with no exceptions.
OK; this needs to be documented, though; I'll add it to slapd.access(5).
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------