[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3497) Enhancement: back-sql and non-leaf operations

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 20 Jan 2005 21:41:23 +0100
Cc: openldap-devel@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=H8aJONcOBR4n5w5BwSpO7Rz3yQuOTfDXhNIdb9ebts/l9sFTgdrCLhv5Xhr/4dwvG UftdrHRYdhfmuUSWeDPzg==
References: <200501201502.j0KF2JdA004485@boole.openldap.org> <6.2.0.14.0.20050120074138.08232398@mail.openldap.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Kurt D. Zeilenga wrote:

[moved to devel for broader discussion]

Waiting for re22 to compile from scratch...

At 07:02 AM 1/20/2005, ando@sys-net.it wrote:
Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Back-sql could be easily modified to support operations on non-leaves, like subtree deletion e.g. when the LDAP_CONTROL_X_TREE_DELETE is used, and renaming of non-leaf entries, thanks to the transaction support of the underlying RDBMS.
What would you do if you run into an referral object?
Is there any implementation of MS's tree delete (in OpenLDAP?
in non-MS server?).  Seems the specification is incomplete...

I don't even see a clear specification for it... Maybe we'd just define one of our own, and stick with it.

Subtree deletion would require to fetch all the children, check whether there's any referral among them (which would require manageDSAit for the entire operation?) and subsequent deletion.
I don't see this as something requiring manageDSAit (control
or permission).
I do see it requiring permission to delete each object in
the subtree.

Of course I'd treat the operation as if it were split in the corresponding operations on each entry from that point of view. If a referral is found, I'd reject the whole operation if manageDSAit is not set, otherwise I'd just perform it.

Renaming would be even easier, since only table ldap_entries would require to be
modified (essentially, all subtree DNs need be renamed, and that's all).  I
guess manageDSAit would yet be required if there's any referral among the
children, so all entries should be fetched in any case.
I'm wondering if any special permission should be requested for operations of this kind. Maybe manageDSAit, possibly with the extra 'm' (manage) access to the baseObject of the operation (see followups on -devel of ITS#3472).
For rename, same permission as if the entry to be moved had no children. (See back-hdb)

Agree.

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
Next by Date: Re: (ITS#3497) Enhancement: back-sql and non-leaf operations
Index(es):
- Chronological
- Thread