[Date Prev][Date Next]
ITS#3140 patch breaks back-ldap, questionable security.
If an ACL set is evaluated on a back-ldap backend and librewrite is
being used, slapd will get an assertion failure in rewrite_session_init
(librewrite/session.c:84) from ldap_back_getconn (back-ldap/bind.c:295).
This is due to the change in aci_match_set (acl.c:1826) using a new
Operation structure with o_conn explicitly set to NULL.
It seems that we need a different mechanism for breaking the set
recursion problem here. This patch appears to allow set ACLs to operate
indiscriminately, regardless of ACL_AUTH access.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support