[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
- To: "Howard Chu" <hyc@symas.com>
- Subject: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
- From: "Pierangelo Masarati" <ando@sys-net.it>
- Date: Mon, 22 Nov 2004 12:16:51 +0100 (CET)
- Cc: Michael Ströder <michael@stroeder.com>, openldap-devel@OpenLDAP.org
- Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=UFb4RU9QZS5NgB4823fJsDqvYzRSFaJmpaINjHIF1LsOCa/miBxTH620+IcGaGkci gJ2MpWkyaffg9ZdpUPajw==
- Importance: Normal
- In-reply-to: <41A1BB75.2070709@symas.com>
- References: <200411191051.13403.misty@borkholder.com> <m37johequh.fsf@marin.l4b.de> <419E876D.5050804@worldpac.com> <41A19CAE.2040302@stroeder.com> <33821.81.74.43.82.1101113045.squirrel@81.74.43.82> <34533.81.74.43.82.1101113970.squirrel@81.74.43.82> <41A1B30E.40106@stroeder.com> <41A1BB75.2070709@symas.com>
- User-agent: SquirrelMail/1.4.3a-1
[moved to -devel]
> Michael Ströder wrote:
>
>> Pierangelo Masarati wrote:
>>
>>>> On a related note, I see that the current implementation of ACIs
>>>> relies on
>>>> the ordering of multivalued attributes; in fact, ACI values are
>>>> evalated
>>>> in the order they appear, and as soon as one matches, the checking
>>>> terminates.; of course, writing ACIs with different values of the
>>>> OpenLDAPaci attributes that overlap whould be considered wrong, but
>>>> in any
>>>> case it is possible and I guess in some cases it may also be
>>>> considered
>>>> desirable (I didn't consider this enough to exclude that possibility).
>>>
>>>
>>>
>>> I overlooked the design; the above is only partially true, in the sense
>>> that all rules (i.e. all values) are evaluated for a single object;
>>> what I
>>> haven't understood yet is if the order in which they are evaluated is
>>> irrelevant or may alter the resulting permissions.
>>
>>
>> Grabbed example data (and snipped lines) from
>> http://www.openldap.org/faq/data/cache/634.html:
>>
>> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise [..]
>> OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas [..]
>> OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail; [..]
>> OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all [..]
>> ^^^
>> AFAICS the prefixed numbers preserve the ACI evaluation order. So
>> there is an order defined for the values themselves together with
>> semantics. However there is no order how the values are stored or
>> transmitted over LDAP.
>>
>> Didn't we have this topic before...?
>
> Yes, I'm sure we did. And for back-config I'm introducing a schema flag
> X-ORDERED-VALUES to specify that values of a particular attribute have
> their order preserved and may be referenced by position, not just by
> value. Of course, I think this was discussed on -devel, not -software.
I must have missed that discussion; however, I've been playing with ACIs
òast weekend, and I didn't see anything in the code that preserves any
ordering... unless I overlooked something. In any case, for the purpose
of ACIs (i.e. being replicable, even cross-platform, access info), this is
a clear violation of the protocol and thus will not portable, unless I'm
overlooking something else.
Ciao, p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497