[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSF not propagated to syncrepl operation (ITS#3131)

To: openldap-its@OpenLDAP.org
Subject: Re: SSF not propagated to syncrepl operation (ITS#3131)
From: Kurt@OpenLDAP.org
Date: Wed, 5 May 2004 16:00:43 GMT

Regarding your patch, I noticed you are apply the SASL SSF to the
o_ssf instead of o_sasl_ssf and then raising o_ssf if o_sasl_ssf
is greater.  Seems also a more complete handle transport and
TLS SSFs as well.

Kurt

At 08:40 PM 5/4/2004, lukeh@padl.com wrote:
>Full_Name: Luke Howard
>Version: 2.2.10
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (165.228.130.11)
>
>
>The application of consumer-side ACLs that contain minimum SSFs does not work
>with syncrepl, because the SSF is not propagated from the LDAP session to the
>fake operation.
>
>For example:
>
>access to *
>        by dn.subtree="OU=Domain Controllers,DC=dsg,DC=padl,DC=com" ssf=56
>write
>
>The following difference against OPENLDAP_REL_ENG_2_2_10 fixes this.
>
>Index: syncrepl.c
>===================================================================
>RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/syncrepl.c,v
>retrieving revision 1.24.2.20
>diff -u -r1.24.2.20 syncrepl.c
>--- syncrepl.c  13 Apr 2004 15:49:08 -0000      1.24.2.20
>+++ syncrepl.c  5 May 2004 03:36:52 -0000
>@@ -302,6 +302,9 @@
>                }
>        }
> 
>+       /* set SSF for local authorization */
>+       ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_ssf );
>+
>        /* get syncrepl cookie of shadow replica from subentry */
> 
>        assert( si->si_rid < 1000 );
>lukeh@corp/tankstream[190]%

Prev by Date: patch to disable SLP registration from commandline (ITS#3132)
Next by Date: Re: SSF not propagated to syncrepl operation (ITS#3131)
Index(es):
- Chronological
- Thread