Re: fe_access_allowed() odds (Was: commit: ldap/servers/slapd acl.c frontend.c proto-slap.h)

[Pierangelo Masarati <ando@sys-net.it>]

Howard Chu wrote:

> Pierangelo Masarati wrote:
>
> > lukeh@OpenLDAP.org wrote:
> >
> > > Add fe_access_allowed(), should allow global ACL overlays to work
> > >  
> > This didn't handle the case of requests that are corretly honored by 
> > the frontend itself.  Please review my fix.  Howard, what about 
> > having select_backend() return the frontendDB for the appropriate 
> > entries?  Do you see any drawbacks?  (all entries that don't match, 
> > or rootDSE and cn=Subschema only?)
>
> That sounds like an odd change in behavior. Aside from the special 
> entries (rootDSE, subschema) if select_backend() cannot find a match 
> we should be dropping the request (either with a referral or 
> OBJECT_NOT_FOUND).

In fact, the issue I was seeing was related to searching the rootDSE; 
currently, the only entries that may need this special behavior are the 
rootDSE ("") and the "cn=Subschema", and in that case they needed a 
special treatment because Lukehas kind of "hijacked" the frontendDB to 
make it perform ACL checking for those cases that are not handled by a 
specific backend, so I agree this is special.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497