[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
From: ando@sys-net.it
Date: Sat, 2 Jul 2005 16:17:22 GMT

hyc@symas.com wrote:

>Pierangelo Masarati wrote:
>  
>
>> hyc@symas.com wrote:
>>    
>>
>>>Well, rootpw makes no sense for the frontendDB. The question about
>>>rootdn is still open.
>>>      
>>>
>
>  
>
>> I do not quite understand this comment.  In principle (never thought
>> about it so I'm just trying to form a consistent thought) we could
>> have a "global rootdn", which would be the frontend's rootdn, whose
>> authority spans the entire system, unless a "rootdn" is defined for a
>> database; in the latter case, that "local rootdn" would prevail.  If
>> we implement something like this, a "rootpw" for the frontendDB would
>> make as much sense as it does for each database (with the same pros
>> and cons, I mean).
>>    
>>
>
>I see what you're saying. I was thinking about it from a simpler 
>perspective: the rootDN has to be associated with a particular backend's 
>suffix in order for the Bind to be processed, and there is no suffix for 
>the frontendDB. But I guess if it's global then that consideration 
>doesn't need to apply.
>
>If we want to go down this path, it might make sense to get that "user 
>class" implementation going.
>
I agree

> It would be better if things like 
>be_isroot() just needed to check one or two flags (userclass & 
>SLAP_GLOBAL_ROOT) instead of all the ber_bvcmp's that would be needed in 
>all the right places.
>  
>
Well, just to have that feature in place it wouldn't be too hard to do 
something like

be_isroot_dn( BackendDB *be, struct berval *ndn )
{
    if ( !BER_BVISNULL( be->be_rootndn ) ) {
       if ( dn_match( &be->be_rootndn, ndn ) ) {
          return 1;
       }
    }

    if ( !BER_BVISNULL( &frontendDB->be_rootndn ) ) {
       if ( dn_match( &frontendDB->be_rootndn, ndn ) ) {
          return 1;
       }
    }

    return 0;
}

This way, nothing would have to be changed in the rest of the code.  For 
current installations, only the cost of

    if ( !BER_BVISNULL( &frontendDB->be_rootndn ) ) {

would be required, i.e. a pointer comparison, since 
frontendDB->be_rootndn would always be BER_BVNULL (Note for 
implementors: I don't recall if be_rootndn is NULL or EMPTY when none is 
defined; in case, replace BER_BVISNULL with BER_BVISEMPTY).

p.



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
Next by Date: Re: (ITS#3808) back-ldap connection freeing may fail
Index(es):
- Chronological
- Thread