[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#2757 adding an entry without parent

Trying to clear out some old cruft...

I believe the desired behavior is, if the new entry has no parent, then 
either the new entry must be the context entry, or the suffix must be 
empty and the new entry must have only one RDN. But the bit about 
"subject to access controls" is still a sticky point; normally we 
require WriteAdd access to the parent's "children" pseudo-attribute, as 
well as WriteAdd access to the new entry's "entry" pseudo-attribute.

It seems, if there is no parent entry, we really cannot evaluate the 
first condition. Although I suppose we could define a specific
    access to dn.base="" attr=children
       by foo add

and pass a dummy entry in to evaluate it. But the point is, since there 
are no entries in the database yet, there cannot be any valid users, so 
really it's only possible for the rootdn to do these adds anyway.

That last bit is not entirely true; a server with multiple databases 
could have authenticated the user using some other database. Or the user 
could be authenticated by SASL. Are these the only situations where the 
current behavior makes any difference? Seems like we've come a long way 
with this "bug" in existence and nobody has been bothered so far.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support