[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3877) Enhancement: openldapACIValidate implementation

> But if validate function is going to be implemented in acl.c,
> it'll be more appropriate to use aci_get_part function.
> So, one may forget about clumsy bertok

That's an option.  I'd avoid as much as possible both code duplication and
code dispersion, by keeping ACI code within acl.c (in the future, maybe in
aci.c, if I spare time to solve the code commonality issue within ACI and

>> 3) beware of escaping the delimiter char; there was recently an
>> issue with
>> ACIs that didn't parse correctly a DN containing a "#"; it is now
>> fixed
>> (in 2.3 for sure; not sure about 2.2), but I didn't check if your
>> patch
>> takes care of it.
> DN are placed at the very end of ACI. In it's current implementation
> ACIValidate does
> not validate subject field,because it's not always a DN.

Of ocurse you need to validate it only when it's a DN; while validating it
it might be worth to pretty and normalize it, under the assumption that
the time consuming part of the job is parsing/validating the DN.

> But I'll definitely look at it when adding DN-validate there.
>> 4) I'd also see room for an ACI normalization function that takes
>> care of
>> normalizing the DN in ACIs, so that we don't need to re-normalize
>> them all
>> times the ACIs are invoked (see all the occurences of dnNormalize() in
>> aci_mask()).
> You mean, to implement pretty function for ACI?

As, according to Kurt's mail as well.  Since when adding an ACI rule the
value is validated, we could also prettify and normalize it, so the pretty
value actually gets into the directory, and the normalized form can be
efficiently used to perform access checking.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497