Re: commit: ldap/servers/slapd/back-bdb add.c

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:
> On Fri, 2006-05-19 at 15:31 -0700, Howard Chu wrote:
>   
> > Test045 is broken now because it only gives the updatedn write 
> > privileges to "dn.subtree=<suffix>"; it now also needs children access 
> > to the suffix's parent. Is the code wrong (which used to explicitly 
> > allow access to the updatedn in this case) or the test's ACL?
> >     
>
> There shouldn't be any suffix's parent involved in access checking.  The
> suffix doesn't have any parent by definition, right?  I guess checking
> children access in this case is incorrect.
>   

Well, there's some uncertainty here. You'll note that modrdn also 
requires write access to the children attr of the newsuperior, and uses 
slap_entry_root for the parent of the suffix already. And, adding
   access to dn.exact="" attrs=children by <foo>write
fixes the test. I think this is actually the right thing, it makes 
everything consistent with no exceptions.

Most configurations probably won't see any difference because they 
typically do
   access to * by <updatedn> write

which grants all of the required access anyway.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/