OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7446
Full headers

From: michael@stroeder.com
Subject: slapadd OBSOLETE object class fails
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Mon, 19 Nov 2012 21:24:43 +0000
From: michael@stroeder.com
To: openldap-its@OpenLDAP.org
Subject: slapadd OBSOLETE object class fails
Full_Name: Michael Str.der
Version: HEAD
OS: 
URL: 
Submission from: (NULL) (79.227.170.198)


Importing an LDIF file with slapadd which contains entries with an object class
marked as OBSOLETE in the schema fails.

Importing entries with OBSOLETE attribute types seems to work just fine.

If object classes are marked as OBSOLETE it's clear that it should be impossible
to add new entries via LDAP based on such an object class. But it should still
be possible to restore old entries from backup.

Followup 1

Download message
Date: Mon, 19 Nov 2012 22:48:29 +0100
Subject: Re: (ITS#7446) slapadd OBSOLETE object class fails
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: michael@stroeder.com
Cc: openldap-its@openldap.org
> Full_Name: Michael Str.der
> Version: HEAD
> OS:
> URL:
> Submission from: (NULL) (79.227.170.198)
>
>
> Importing an LDIF file with slapadd which contains entries with an object
> class
> marked as OBSOLETE in the schema fails.
>
> Importing entries with OBSOLETE attribute types seems to work just fine.
>
> If object classes are marked as OBSOLETE it's clear that it should be
> impossible
> to add new entries via LDAP based on such an object class. But it should
> still
> be possible to restore old entries from backup.

Currently, slap_tool_entry_check() sets "manage" to 0 when calling
entry_schema_check(); setting it to !0 would allow loading of OBSOLETE
objectClasses.  Maybe "manage" should be passed to
slap_tool_entry_check(), and write tools (slapadd, slapmodify) could have
an explicit '-o manage' option to enable handling of these cases.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 2

Download message
Date: Mon, 19 Nov 2012 23:12:16 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: masarati@aero.polimi.it
CC: openldap-its@openldap.org
Subject: Re: (ITS#7446) slapadd OBSOLETE object class fails
masarati@aero.polimi.it wrote:
> Maybe "manage" should be passed to
> slap_tool_entry_check(), and write tools (slapadd, slapmodify) could have
> an explicit '-o manage' option to enable handling of these cases.

I'd regard slapadd to be in kind of a manage mode by default. E.g. it does not
check constraints. And as said OBSOLETE attribute types are already accepted.

Ciao, Michael.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org