[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#3140 patch breaks back-ldap, questionable security.

If an ACL set is evaluated on a back-ldap backend and librewrite is 
being used, slapd will get an assertion failure in rewrite_session_init 
(librewrite/session.c:84) from ldap_back_getconn (back-ldap/bind.c:295). 
This is due to the change in aci_match_set (acl.c:1826) using a new 
Operation structure with o_conn explicitly set to NULL.

It seems that we need a different mechanism for breaking the set 
recursion problem here. This patch appears to allow set ACLs to operate 
indiscriminately, regardless of ACL_AUTH access.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support