[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)



[moved to -devel]

> Michael Ströder wrote:
>
>> Pierangelo Masarati wrote:
>>
>>>> On a related note, I see that the current implementation of ACIs
>>>> relies on
>>>> the ordering of multivalued attributes; in fact, ACI values are
>>>> evalated
>>>> in the order they appear, and as soon as one matches, the checking
>>>> terminates.; of course, writing ACIs with different values of the
>>>> OpenLDAPaci attributes that overlap whould be considered wrong, but
>>>> in any
>>>> case it is possible and I guess in some cases it may also be
>>>> considered
>>>> desirable (I didn't consider this enough to exclude that possibility).
>>>
>>>
>>>
>>> I overlooked the design; the above is only partially true, in the sense
>>> that all rules (i.e. all values) are evaluated for a single object;
>>> what I
>>> haven't understood yet is if the order in which they are evaluated is
>>> irrelevant or may alter the resulting permissions.
>>
>>
>> Grabbed example data (and snipped lines) from
>> http://www.openldap.org/faq/data/cache/634.html:
>>
>> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise [..]
>> OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas [..]
>> OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail; [..]
>> OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all [..]
>>             ^^^
>> AFAICS the prefixed numbers preserve the ACI evaluation order. So
>> there is an order defined for the values themselves together with
>> semantics. However there is no order how the values are stored or
>> transmitted over LDAP.
>>
>> Didn't we have this topic before...?
>
> Yes, I'm sure we did. And for back-config I'm introducing a schema flag
> X-ORDERED-VALUES to specify that values of a particular attribute have
> their order preserved and may be referenced by position, not just by
> value. Of course, I think this was discussed on -devel, not -software.

I must have missed that discussion; however, I've been playing with ACIs
òast weekend, and I didn't see anything in the code that preserves any
ordering...  unless I overlooked something.  In any case, for the purpose
of ACIs (i.e. being replicable, even cross-platform, access info), this is
a clear violation of the protocol and thus will not portable, unless I'm
overlooking something else.

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497