[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3



Turbo Fredriksson wrote:

>> By quickly reading the code, it seems that the effect you desire is
>> obtained by setting no attribute type, or by using "entry" instead of
>> "[entry]".
> 
> Neither of this work. The first with 'no write access to entry' and the
> second with 'openldapaci: value #0 invalid per syntax'.

A more careful pass thru the code shows that actually, "[entry]" is not
tolerated by normalization functions, while "entry" is.  But later on,
checking for "entry" is turned into "[entry]" (catch 22?).

On the contrary, using "[all]" works as expected.

I've fixed that in re23.  Much like in HEAD, now "[entry]" is tolerated
in input, but it gets normalized into "entry" (so don't get surprised
nor disappointed when you look at your newly added ACIs).  Further
checking always uses "entry".

You should note some other odds in input/output, since
normalization/prettification is consistently used on ACI values.  You
might also notice some performance improvement, since now access
checking heavily relies on the presence of normalized values.

Normalization rules shouldn't have changed, so there should be no need
to dump/reload your database.

The multiple attribute feature is gone in 2.3 (it's back in 2.4: see
ITS#4759).  However, 2.3 and later have another feature: you can add
multiple sets of "perms;attr" groups, like

openldapaci: 0#entry#grant;w,r,s,c;entry;r,s,c;objectClass#public#

and so on.

p.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------