[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: denyop (Was: commit: ldap/servers/slapd/back-monitor back-monitor.h database.c init.c proto-back-monitor.h)

> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it]

> I just committed some code to enable selective modification
> of readOnly
> and restrictedOperation attributes in what I think is a
> consistent manner
> (if any can be defined).  The approach is opposed to what
> Howard used for
> the readOnly attribute only, and I'm sure there are issues left;
> essentially, readOnly and restrictedOperation act on the same
> underlying
> data, and the former essentially acts on a subset of the latter.  One
> issue is, for instance, that if we consider readOnly a
> shortcut to disable
> write operations, if applied to a database that already restricts some
> operations there is no easy way to revert it, e.g.
> # status
> readOnly: FALSE
> restrictedOperation: compare
> restrictedOperation: delete
> # apply readOnly=TRUE
> readOnly: TRUE
> restrictedOperation: compare
> restrictedOperation: add
> restrictedOperation: delete
> restrictedOperation: modify
> restrictedOperation: rename
> # apply readOnly=FALSE
> readOnly: FALSE
> restrictedOperation: compare
> The final status differs from the initial one.
> Feel free to suggest changes, or to revert the changes.

I suppose we could define a separate flag for SLAP_RESTRICT_OP_WRITE and
include it in SLAP_RESTRICT_OP_WRITES. At the moment I'm not too concerned
about it. However, we have a hole in here at the moment because
SLAP_RESTRICT_OP_WRITES doesn't catch EXOP_MODIFY_PASSWD and probably should.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support