OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Development/5505
Full headers

From: michael@stroeder.com
Subject: Attribute value for 'modifiersName' in case of overlays
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Sat, 10 May 2008 17:10:56 GMT
From: michael@stroeder.com
To: openldap-its@OpenLDAP.org
Subject: Attribute value for 'modifiersName' in case of overlays
Full_Name: Michael Str.der
Version: HEAD
OS: OpenSUSE Linux 10.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.163.119.62)


HI!

Just a feature request for convenience:

Would it be possible to set the value of attribute 'modifiersName' to the DN of
the overlays' configuration entry under cn=config if an entry was modified by an
overlay? In this case one would have a direct link to the configuration if
needed. Currently 'cn=<overlay name>' (e.g cn=Referential Integrity
Overlay) is
added which does not refer to an existing entry at all.

Ciao, Michael.


Followup 1

Download message
Date: Sat, 10 May 2008 22:28:06 +0200 (CEST)
Subject: Re: (ITS#5505) Attribute value for 'modifiersName' in case of 
     overlays
From: "Pierangelo Masarati" <ando@sys-net.it>
To: michael@stroeder.com
Cc: openldap-its@openldap.org
> Just a feature request for convenience:
>
> Would it be possible to set the value of attribute 'modifiersName' to the
> DN of
> the overlays' configuration entry under cn=config if an entry was modified
> by an
> overlay? In this case one would have a direct link to the configuration if
> needed. Currently 'cn=<overlay name>' (e.g cn=Referential Integrity
> Overlay) is
> added which does not refer to an existing entry at all.

Technically, I don't see any problem, except that overlays (and software
modules, in general) do not hold a direct reference to their config
entry's DN, if any (e.g. when back-config is not in use, the data
structure is in place, but not in LDIF form; please correct me if I'm
wrong).  I wonder whether exposing such detail makes sense, or risks
breaking any security.  Probably I'm getting paranoid...

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------




Followup 2

Download message
Date: Sat, 24 May 2008 12:19:42 +0200
From: Pierangelo Masarati <ando@sys-net.it>
To: openldap-its@openldap.org
CC: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Subject: Re: (ITS#5505) Attribute value for 'modifiersName' in case of overlays
ando@sys-net.it wrote:
>> Just a feature request for convenience:
>>
>> Would it be possible to set the value of attribute 'modifiersName' to
the
>> DN of
>> the overlays' configuration entry under cn=config if an entry was
modified
>> by an
>> overlay? In this case one would have a direct link to the configuration
if
>> needed. Currently 'cn=<overlay name>' (e.g cn=Referential
Integrity
>> Overlay) is
>> added which does not refer to an existing entry at all.
> 
> Technically, I don't see any problem, except that overlays (and software
> modules, in general) do not hold a direct reference to their config
> entry's DN, if any (e.g. when back-config is not in use, the data
> structure is in place, but not in LDIF form; please correct me if I'm
> wrong).  I wonder whether exposing such detail makes sense, or risks
> breaking any security.  Probably I'm getting paranoid...

As a quick fix to your legitimate issue, I've added to HEAD the 
refint_modifiersname parameter that allows to customize the name used 
for internal modifications.  Please test.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------




Followup 3

Download message
Date: Sat, 21 Feb 2009 11:11:43 +0100
From: Pierangelo Masarati <ando@sys-net.it>
To: openldap-its@openldap.org
Subject: ITS#5505
The BackendDB structure could have a specific bd_modifiersName field for 
internal modifications; the slap_overinst structure could have a 
on_modifiersName as well.  Both could be configurable using a(n 
optional, single-valued) olcModifiersName attribute.

Internal writes would receive the modifiersName from:

- the application; or
- the overlay's olcModifiersName; or
- the database's olcModifiersName; or
- the database's rootdn; or
- ?!?  fail?  remain anonymous?

a call to

int
slap_get_modifiersName( Operation *op, BackendDB *be, slap_overinst *on,
	struct berval *mn, struct berval *nmn )
{
	*mn = op->o_dn;
	*nmn = op->o_ndn;

	if ( BER_BVISEMPTY( nmn ) ) {
		if ( on && !BER_BVISNULL( &on->on_modifiersName ) ) {
			*mn = on->on_modifiersName;
			*nmn = on->on_nmodifiersName;
		} else if ( be ) {
			if ( !BER_BVISNULL( &be->bd_modifiersName ) ) {
				*mn = be->bd_modifiersName;
				*nmn = be->bd_nmodifiersName;
			} else if ( !BER_BVISNULL( &be->bd_rootdn ) ) {
				*mn = be->bd_rootdn;
				*nmn = be->bd_rootndn;
			}
		}
	}

	return !BER_BVISEMPTY( nm );
}

would return the appropriate value, if any.

Probably a bit too much effort, but then multiple customizations that 
need to perform internal writes would be saved the effort and the 
dispersion of having to define their own configuration bit for a common 
feature.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org