RE: commit: ldap/servers/slapd acl.c aclparse.c ad.c controls.c repl.c search.c sessionlog.c slap.h

["Howard Chu" <hyc@symas.com>]

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo Masarati

> > I was just thinking that we need this functionality, but
> it's missing
> > something - for an excluded objectclass, it should also be
> excluded from
> > modify operations, not just add. E.g., if someone does a
> modify to add
> > an excluded objectclass to an entry, that modification
> should be dropped
> > from the replog.
>
> I think I'm overlooking the potential for its semantics;
> I think there can be many applications.  I'll consider
> you suggestion.

Well, since the objectClasses were already excluded for Adds, I took the
absence of this behavior in Modifies as a bug (ITS#2889). It took a few
iterations to get this down to a reasonable shape. I also confused myself a
few times in the Boolean algebra for an_oc_exclude but I'm pretty sure it's
right now. I have this backported to RE21 as well, ready to go (if OK to
commit).

For objectClasses a, b, c, and d, my test cases are:
	attrs=a,b,c    propagates    a,b,c
	attrs=a,!b,c                 a,c,d
	attrs=a,!b,!c                a,d
	attrs=!a,!b,!c               d
	attrs!=a,b,c                 d
       attrs!=a,!b,c                b
	attrs!=a,!b,!c               b,c
	attrs!=!a,!b,!c              a,b,c

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support