[Date Prev][Date Next]
Re: (ITS#5572) Append global ACL to new backends
> Howard Chu wrote:
>> rein@OpenLDAP.org wrote:
>>> The global ACLs are not added to newly created backends, i.e a server
>>> must be done before they are included. The patch at the end should
>>> fix this. OK
>>> to commit Howard?
>> My preference here would be to rip out everything that appends the
>> global ACLs and instead change the access_allowed checker to reference
>> the global ACLs directly when needed.
> Agreed, that would also fix the problem that dynamic updates to the
> global ACLs requires a restart to be effective. I can look into this
> next week. To be sure I have the semantics correct, it should be to
> evalutate ALCs local to the backend first, then the global, until a
> matching entry has been found?
I have finally had time to look at this, and I have uploaded a
suggestion for a patch to ftp://ftp.openldap.org/incoming/ITS5572.patch,
The AccessControlState cache and its backtracking was complicating
things a bit, but I hope I have got it correct. All the tests succeed
with the patch, although I'm not sure whether the cache is actually
tested or not..
I haven't done anything with the code that avoids messing with the
global ACL part when modifications are done to a backend ACL, it will
simply not find any trailing frontend ACL to stay away from.
There is a probably a similar problem in the pcache and translucent
overlays, as they makes a copy of the backend ACL when initializing.
I.e changes to the backend ACL would not be noticed until a restart? I
haven't look any further into this, but a bi_access_allowed function
that dynamically fetches the be_acl from the backend could be a fix.