[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd aclparse.c



ando@OpenLDAP.org wrote:
>
> Log Message:
> fixes assertion fault when the <to> clauses's argument does not have a = inside

Got this bug while playing with recursive group <who> 
clause.

It works very fine, but it is somehow intrusive because
I had to add an argument to the backend_group call and to
each backend group function. The need for this sort of
access emerged from discussions on the list. 

Recalling the access syntax:
	
	access to <what> [ by <who> <access> [ <control> ] ]+

the group <who> clause

	group[/<objectclass>[/<attrname>]][.<style>]=<pattern>

allows access if the requesting dn (op_ndn) is listed
in the members (<attrname>) of a group objectclass 
(<objectclass>) whose dn matches the <pattern> (as defined
by <style>).

In case an appropriate flag is set, I made this check continue,
in case of failure, by recursively searching the requesting dn 
(op_ndn) in the group objectclasses represented by the members
of the initial objectclass that matches <pattern>.

Although dangerous (no loop check) and heavy, it may be useful.

If there's no objections I'll commit the whole stuff.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati