[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)

To: Michael Ströder <michael@stroeder.com>
Subject: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 22 Nov 2004 12:29:17 +0100 (CET)
Cc: openldap-devel@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=bO42SnAKp+LjEeHP+opp6vFlErlAGqD5sLCcPzs9tz7ni99ijicVb80TivfpxySHo K/1cEk7BoVlhtrF1+A2Hw==
Importance: Normal
In-reply-to: <41A1CC00.9090903@stroeder.com>
References: <200411191051.13403.misty@borkholder.com> <m37johequh.fsf@marin.l4b.de> <419E876D.5050804@worldpac.com> <41A19CAE.2040302@stroeder.com> <33821.81.74.43.82.1101113045.squirrel@81.74.43.82> <34533.81.74.43.82.1101113970.squirrel@81.74.43.82> <41A1B30E.40106@stroeder.com> <41A1BB75.2070709@symas.com> <22338.193.203.232.5.1101122211.squirrel@193.203.232.5> <41A1CC00.9090903@stroeder.com>
User-agent: SquirrelMail/1.4.3a-1

> Pierangelo Masarati wrote:
>>>>OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise [..]
>>>>OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas [..]
>>>>OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail; [..]
>>>>OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all [..]
>>>>            ^^^
>>>>AFAICS the prefixed numbers preserve the ACI evaluation order.
>>
>> [..] this is
>> a clear violation of the protocol and thus will not portable,
>
> Ordering is preserved by definition and proper handling of the ACI
> syntax (not LDAP syntax or protocol). See numbered prefix in the
> attribute values above. Ordering at protocol level is *not* assumed for
> ACIs.

I mean: if you (or the implementation...) shuffle them

OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas [..]
OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise [..]
OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all [..]
OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail; [..]

then nothing in the current code even looks at the first data to put them
back in order.  This is my understanding of what the current code does.

I agree the first field is essentially intended to order ACIs, and ACIs
are intended to be machine-writable rather than human-writable, so the
implementation could safely assume they're always ordered; however, if at
some point somebody decides to store multivalued attrs, for instance, in
stacks, then the evaluation would occur in reversed insert order unless we
take countermeasures which __ARE_NOT__ currently in place.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
Next by Date: Access control in pcache
Index(es):
- Chronological
- Thread