[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/back-bdb add.c

On Sat, 2006-05-20 at 01:36 -0700, Howard Chu wrote:

> Well, there's some uncertainty here. You'll note that modrdn also 
> requires write access to the children attr of the newsuperior, and uses 
> slap_entry_root for the parent of the suffix already.

Actually, I think this case is rather different: in this case, rename is
occurring for entries other than the suffix, since the suffix is the
empty DN itself.  If the suffix is not empty, there's no point in
renaming anything to the suffix: it would fail because the suffix, by
definition, must exist if an entry in that naming context exists (unless
we consider cross-database rename, which is not supported AFAIK).

The initial case is about adding the suffix, in which case the parent is
not one depth less (e.g. "dc=com" for "dc=example,dc=com") but the empty
DN itself.

I'm not quite inclined towards the ACL solution because it appears a bit
counterintuitive, but I think we should go that way because it gives the
granularity of separating the right to modify the suffix with the right
to add it.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it