[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5344) Wrong check for bad Modify DN

To: openldap-its@OpenLDAP.org
Subject: (ITS#5344) Wrong check for bad Modify DN
From: h.b.furuseth@usit.uio.no
Date: Wed, 30 Jan 2008 10:48:56 GMT

Full_Name: Hallvard B Furuseth
Version: HEAD
OS: 
URL: http://folk.uio.no/hbf/OpenLDAP/modrdn.diff
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


The slapd/modrdn.c check for affectsMultipleDSAs is insufficient, it
requires newSuperior to be in the same backend.  That does not catch
moving "cn=x,cn=y" to another database's suffix "cn=z,cn=y".  Also
if a database has multiple suffixes it prevents moving an entry
to one of the suffixes.

slapd/modrdn.c can catch attempts to place an entry above/below itself.
It doesn't need to send those to the database and hope that catches it.
This patch puts it in the frontend (fe_op_modrdn); that needed to
generate the destination DN anyway for the affectsMultipleDSAs check.
Not sure if that's right or if it should go in do_modrdn() instead.
(I'm thinking of DN rewriting in rwm, vs. global overlays.)

In test005-modrdn, the "modrdn with newSuperior as child of target" check
would not catch anything: It expects failure, but the newSuperior did
not exist and would fail with noSuchObject in any case.  This patch uses
newSuperior=target instead, and expects unwillingToPerform.

I'll apply the patch later, unless someone thinks it should be done
differently.

Prev by Date: Re: (ITS#5330) back-null upgrade
Next by Date: Re: (ITS#5344) Wrong check for bad Modify DN
Index(es):
- Chronological
- Thread