[Date Prev][Date Next]
Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
Kurt D. Zeilenga wrote:
At 04:59 PM 4/12/2005, Howard Chu wrote:Of course, forcing back-config to be the first backend was only
necessary when Backends was an array that got realloc'd, because I
needed a reliable way to get hold of it. Since Backends is now a linked
list, we could allow back-config to be anywhere in the order, thus
preserving the intended behavior.
Pierangelo Masarati wrote:
In access_allowed(), when called with null o_bd field, the first database is selected, where the first real database is traditionally intended. The current code has been modified to pick the first database by calling
op->o_bd = LDAP_STAILQ_FIRST( &backendDB );
However, if back-config is enabled, it is forced to be the first database in the list. I can't figure out, right now, how this can be solved in a clean manner.
Hmmm... As per ITS#3100, the behavior to use the first backend has been in place for a long time, but it doesn't make a lot of sense in itself, it seems it was just a hack (acl.c rev 1.93) to allow ACL checks to be performed on the rootDSE and other objects that live outside of a regular backend. Since we now have a frontendDB where the global ACLs live, I think we should just use the frontendDB here.I note that we've had global ACLs for a long time (which
not only applied to the root DSE, but to all backends
after their specific ACLs).
True. Which makes the "first DB" behavior seem unnecessary.
The one difference is that with the "first DB" behavior, a user bound as
the rootDN of the first DB would automatically have unrestricted access
to the rootDSE etc. (Not that there's anything in there for which root
access is particularly important.) Removing this feature would require
explicit global ACLs for those cases, as the rootDN of the first DB
would no longer be "special" in the context of the rootDSE or schema
I'm fine with doing away with the "first DB ACLS are used if
no global ACLs" feature.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support