[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs broken by ITS#5419

Rein Tollevik wrote:
> On Mon, 24 Mar 2008, Howard Chu wrote:
>> rein@basefarm.no wrote:
>>> The change to servers/slapd/backend.c for ITS#5416 seem to have broken the
>>> ability for group and set statements in access control lines to refer to
>>> entries
>>> outside the backend currently being operated on.
>> That ability was never intended in the first place. Historically, backends in
>> slapd have been treated as isolated DSAs with no connection to each other.
>> They've required special mechanisms (like back-relay or slapo-glue) to be
>> joined.
> Yes, I know, the change that allowed this was imo the one that made sets
> and groups really useful.  Our database configuration still has traces of
> the workarounds the lack of this feature once forced us to make..
> But, the latest change also removes this ability for databases subordinate
> to the same common superior (i.e using the slapo-glue).  If I understand
> you correct it is a bug that glue'ed databases cannot refer to each other,
> although I still consider it a bug (or at least a huge drawback) if this
> would no longer be generally possible.

Actually, looking back over CVS, it seems this ability has existed since 
OpenLDAP 2.0, intended or not. Will have to work up a better solution to 
restore that behavior.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/