[Date Prev][Date Next]
ITS#2757 adding an entry without parent
Trying to clear out some old cruft...
I believe the desired behavior is, if the new entry has no parent, then
either the new entry must be the context entry, or the suffix must be
empty and the new entry must have only one RDN. But the bit about
"subject to access controls" is still a sticky point; normally we
require WriteAdd access to the parent's "children" pseudo-attribute, as
well as WriteAdd access to the new entry's "entry" pseudo-attribute.
It seems, if there is no parent entry, we really cannot evaluate the
first condition. Although I suppose we could define a specific
access to dn.base="" attr=children
by foo add
and pass a dummy entry in to evaluate it. But the point is, since there
are no entries in the database yet, there cannot be any valid users, so
really it's only possible for the rootdn to do these adds anyway.
That last bit is not entirely true; a server with multiple databases
could have authenticated the user using some other database. Or the user
could be authenticated by SASL. Are these the only situations where the
current behavior makes any difference? Seems like we've come a long way
with this "bug" in existence and nobody has been bothered so far.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support