[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: does back-sql bypass ACL ?



Hi!

Thomas Cramer <cramert@musc.edu> writes:
> I can't totally recall without looking at the code (maybe Kurt knows
> better), but the access atributes are controlled by the "core" part of
> openldap.  

It seems to be true for reading operation only no for others for example:

servers/slapd/back-sql/modify.c

in function backsql_add:

it verifies if:

- dn is valid
- objectclass exists.
- "create procedure" exists for the sgbd.

After, this function get a connection to the sgbd and calls the
"add" procedure of the sgbd. It do not see any acl verificiation.

I imagine that no verifications are made before calling this function
since this is here that validities of dn and objectclass are
checked. Maybe i am wrong.

See you.