[Date Prev][Date Next]
Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
- To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
- From: Pierangelo Masarati <email@example.com>
- Date: Thu, 20 Jan 2005 21:41:23 +0100
- Cc: openldap-devel@OpenLDAP.org
- Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=H8aJONcOBR4n5w5BwSpO7Rz3yQuOTfDXhNIdb9ebts/l9sFTgdrCLhv5Xhr/4dwvG UftdrHRYdhfmuUSWeDPzg==
- References: <200501201502.j0KF2JdA004485@boole.openldap.org> <firstname.lastname@example.org>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
Kurt D. Zeilenga wrote:
[moved to devel for broader discussion]
Waiting for re22 to compile from scratch...
At 07:02 AM 1/20/2005, email@example.com wrote:I don't even see a clear specification for it... Maybe we'd just define
one of our own, and stick with it.
Full_Name: Pierangelo Masarati
Submission from: (NULL) (22.214.171.124)
Back-sql could be easily modified to support operations on non-leaves, like
subtree deletion e.g. when the LDAP_CONTROL_X_TREE_DELETE is used, and renaming
of non-leaf entries, thanks to the transaction support of the underlying RDBMS.
What would you do if you run into an referral object?
Is there any implementation of MS's tree delete (in OpenLDAP?
in non-MS server?). Seems the specification is incomplete...
Of course I'd treat the operation as if it were split in the
corresponding operations on each entry from that point of view. If a
referral is found, I'd reject the whole operation if manageDSAit is not
set, otherwise I'd just perform it.
Subtree deletion would require to fetch all the children, check whether there's
any referral among them (which would require manageDSAit for the entire
operation?) and subsequent deletion.
I don't see this as something requiring manageDSAit (control
I do see it requiring permission to delete each object in
Renaming would be even easier, since only table ldap_entries would require to be
modified (essentially, all subtree DNs need be renamed, and that's all). I
guess manageDSAit would yet be required if there's any referral among the
children, so all entries should be fetched in any case.
I'm wondering if any special permission should be requested for operations
of this kind. Maybe manageDSAit, possibly with the extra 'm' (manage)
access to the baseObject of the operation (see followups on -devel of
For rename, same permission as if the entry to be moved had no
children. (See back-hdb)
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497