[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/back-bdb add.c

Pierangelo Masarati wrote:
On Fri, 2006-05-19 at 15:31 -0700, Howard Chu wrote:
Test045 is broken now because it only gives the updatedn write privileges to "dn.subtree=<suffix>"; it now also needs children access to the suffix's parent. Is the code wrong (which used to explicitly allow access to the updatedn in this case) or the test's ACL?

There shouldn't be any suffix's parent involved in access checking. The
suffix doesn't have any parent by definition, right? I guess checking
children access in this case is incorrect.

Well, there's some uncertainty here. You'll note that modrdn also requires write access to the children attr of the newsuperior, and uses slap_entry_root for the parent of the suffix already. And, adding
access to dn.exact="" attrs=children by <foo>write
fixes the test. I think this is actually the right thing, it makes everything consistent with no exceptions.

Most configurations probably won't see any difference because they typically do
access to * by <updatedn> write

which grants all of the required access anyway.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/