[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ITS#4829, creating olcDbDirectory
- To: OpenLDAP Devel <openldap-devel@openldap.org>
- Subject: ITS#4829, creating olcDbDirectory
- From: Howard Chu <hyc@symas.com>
- Date: Thu, 30 Apr 2009 04:28:34 -0700
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090425 SeaMonkey/2.0a1pre Firefox/3.0.3
I thought I had a good idea for this, although upon further reflection it
still has holes. But it may still be a good starting point for discussion:
For backends that support the olcDbDirectory keyword, we should also define a
write-only olcDbMkdir attribute. If it's provided when ldapadd'ing an
olcDatabase entry, or when ldapmodifying, then its values are treated as
pathnames that we will attempt to create before processing any other parts of
the request. This attribute would not be persisted in the cn=config backing
store, so it will only take effect on dynamic operations, not when reloading
the config on a subsequent startup.
If the target directory already exists and is owned by the current uid, then
it's a no-op. If the owner doesn't match, or the target pathname is not a
directory, the request will fail. Otherwise, we try the mkdirs and proceed if
they succeed. No cleanup will be performed on a failure - it would be pretty
rude to "rm -rf" an existing database here.
It may still be worthwhile to provide a global setting defining the filesystem
locations that are allowed to be used. (Of course, anyone with back-config's
rootdn credentials can set it to anything they want, anyway.)
Comments?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/