[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
From: Howard Chu <hyc@symas.com>
Date: Tue, 12 Apr 2005 18:57:30 -0700
Cc: Pierangelo Masarati <ando@sys-net.it>, OpenLDAP Devel <openldap-devel@OpenLDAP.org>
In-reply-to: <6.2.1.2.0.20050412171535.027f78f0@mail.openldap.org>
References: <425C45F0.1000006@sys-net.it> <425C60DD.8060407@symas.com> <6.2.1.2.0.20050412171535.027f78f0@mail.openldap.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050401

Kurt D. Zeilenga wrote:

At 04:59 PM 4/12/2005, Howard Chu wrote:
Pierangelo Masarati wrote:
In access_allowed(), when called with null o_bd field, the first database is selected, where the first real database is traditionally intended.  The current code has been modified to pick the first database by calling
     op->o_bd = LDAP_STAILQ_FIRST( &backendDB );
However, if back-config is enabled, it is forced to be the first database in the list. I can't figure out, right now, how this can be solved in a clean manner.

Of course, forcing back-config to be the first backend was only necessary when Backends was an array that got realloc'd, because I needed a reliable way to get hold of it. Since Backends is now a linked list, we could allow back-config to be anywhere in the order, thus preserving the intended behavior.

Hmmm... As per ITS#3100, the behavior to use the first backend has been in place for a long time, but it doesn't make a lot of sense in itself, it seems it was just a hack (acl.c rev 1.93) to allow ACL checks to be performed on the rootDSE and other objects that live outside of a regular backend. Since we now have a frontendDB where the global ACLs live, I think we should just use the frontendDB here.

I note that we've had global ACLs for a long time (which not only applied to the root DSE, but to all backends after their specific ACLs).

True. Which makes the "first DB" behavior seem unnecessary.

I'm fine with doing away with the "first DB ACLS are used if
no global ACLs" feature.

The one difference is that with the "first DB" behavior, a user bound as the rootDN of the first DB would automatically have unrestricted access to the rootDSE etc. (Not that there's anything in there for which root access is particularly important.) Removing this feature would require explicit global ACLs for those cases, as the rootDN of the first DB would no longer be "special" in the context of the rootDSE or schema subentry.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
  - From: Howard Chu <hyc@symas.com>
- Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
Next by Date: Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
Index(es):
- Chronological
- Thread