[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3877) openldapACIValidate patch + legal issues

A reworked patch has been applied to HEAD.  I note that few steps remain:
- aci_mask() should now take advantage of the availability of normalized
values and be less paranoid
- the combination #define SLAPD_ACI_ENABLED / #undef SLAP_DYNACL should be
removed, to simplify the code
- the Validate/Pretty/Normalize functions do not handle all of the
semantics of the original aci_mask() function; for instance, that routine
allowed value submatch embedded in attribute permissions.  I think that
capability should be removed, unless it proves of extreme usefulness.
- the first field in an ACI value is an objectIdentifier, not an integer;
as such, I used numericoidValidate() instead of integerValidate();
however, I'd favor an approach that uses the OpenLDAP X-ORDERED 'VALUES'
extension to ensure that values are used in the expected order, and to
simplify management by accessing by index instead of by value.  Access by
index could be done as well in the current version by defining a sort of
objectIdentifierFirstComponentMatch rule for the OpenLDAPaciSyntax.

Please test.  Thanks, p.

Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497