[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6468) ACLs in subordinate databases can be ignored

To: openldap-its@openldap.org
Subject: (ITS#6468) ACLs in subordinate databases can be ignored
From: rein@OpenLDAP.org
Date: Tue, 2 Feb 2010 14:46:28 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Rein Tollevik
Version: CVS HEAD
OS: Irrelevant
URL: 
Submission from: (NULL) (2a01:600:0:1:21c:23ff:feab:61cd)
Submitted by: rein


In a glued database configuration where overlays (syncprov, accesslog) are
stacked on top of the glue overlay, ACL evaluation initiated from these overlays
can be evaluated by the superior glue database and not the subordinate database
where the entry actually exist.  I.e, ACLs defined in the subordinate databases
are ignored in these cases.

A fix that implements bi_access_allowed in the glue overlay is coming, it
delegates the call to the actual backend where the entry being referenced exist.
 An alternative approach I considered was to require the overlays to call
select_backend() to find the actual backend where the entry exist, but that
would imo obfuscate the modularization of the code.

--
Rein Tollevik
Basefarm AS

Prev by Date: Re: (ITS#6465) startup error after converting to slapd-config
Next by Date: Re: (ITS#6468) ACLs in subordinate databases can be ignored
Index(es):
- Chronological
- Thread