[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Move SLAPI in an overlay...

>> That allows global overlays to implement ACL checking.
>
>but this is not working, because the BackendDB data loses information
>about the rootdn, the per-backend ACLs and so (for instance, test002 is no
>longer working...).  I'll back out acl.c:1.280 until we find a better
>solution.

Bummer. One solution might be to have a fe_access_allowed() that selects
the appropriate backend:

int
fe_access_allowed(
        Operation               *op,
        Entry                   *e,
        AttributeDescription    *desc,
        struct berval           *val,
        slap_access_t           access,
        AccessControlState      *state,
        slap_mask_t             *maskp )
{
        BackendDB               *be_orig;
        int                     rc;

        be_orig = op->o_bd;

        /* XXX is op->o_req_ndn always appropriate? */
        op->o_bd = select_backend( &op->o_req_ndn, 0, 0 );
        rc = slap_access_allowed( op, e, desc, val, access, state, maskp );
        op->o_bd = be_orig;

        return rc;
}

But, can we rely on op->o_req_ndn being the DN that was used to select
the original backend? Not, say, for entry adds, I would have thought.
Any other ideas?

-- Luke

--