[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fe_access_allowed() odds (Was: commit: ldap/servers/slapd acl.c frontend.c proto-slap.h)

Howard Chu wrote:

Pierangelo Masarati wrote:

lukeh@OpenLDAP.org wrote:

Add fe_access_allowed(), should allow global ACL overlays to work

This didn't handle the case of requests that are corretly honored by the frontend itself. Please review my fix. Howard, what about having select_backend() return the frontendDB for the appropriate entries? Do you see any drawbacks? (all entries that don't match, or rootDSE and cn=Subschema only?)

That sounds like an odd change in behavior. Aside from the special entries (rootDSE, subschema) if select_backend() cannot find a match we should be dropping the request (either with a referral or OBJECT_NOT_FOUND).

In fact, the issue I was seeing was related to searching the rootDSE; currently, the only entries that may need this special behavior are the rootDSE ("") and the "cn=Subschema", and in that case they needed a special treatment because Lukehas kind of "hijacked" the frontendDB to make it perform ACL checking for those cases that are not handled by a specific backend, so I agree this is special.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497