Re: (ITS#5572) Append global ACL to new backends

[rein@OpenLDAP.org]

rein@OpenLDAP.org skrev:
> Howard Chu wrote:
>> rein@OpenLDAP.org wrote:
>>> The global ACLs are not added to newly created backends, i.e a server 
>>> restart
>>> must be done before they are included.  The patch at the end should 
>>> fix this. OK
>>> to commit Howard?
>> My preference here would be to rip out everything that appends the 
>> global ACLs and instead change the access_allowed checker to reference 
>> the global ACLs directly when needed.
> 
> Agreed, that would also fix the problem that dynamic updates to the 
> global ACLs requires a restart to be effective.  I can look into this 
> next week.  To be sure I have the semantics correct, it should be to 
> evalutate ALCs local to the backend first, then the global, until a 
> matching entry has been found?

I have finally had time to look at this, and I have uploaded a 
suggestion for a patch to ftp://ftp.openldap.org/incoming/ITS5572.patch,

The AccessControlState cache and its backtracking was complicating 
things a bit, but I hope I have got it correct.  All the tests succeed 
with the patch, although I'm not sure whether the cache is actually 
tested or not..

I haven't done anything with the code that avoids messing with the 
global ACL part when modifications are done to a backend ACL, it will 
simply not find any trailing frontend ACL to stay away from.

There is a probably a similar problem in the pcache and translucent 
overlays, as they makes a copy of the backend ACL when initializing. 
I.e changes to the backend ACL would not be noticed until a restart? I 
haven't look any further into this, but a bi_access_allowed function 
that dynamically fetches the be_acl from the backend could be a fix.

Rein