I ran in to this issue when attempting to enforce group ACLs on a translucent proxy where
all group information is stored on the proxied directory.
I implemented a hack in 2.3.43 (RHEL-5, we're a bit behind the times) to implement
bi_entry_get_rw on slapo-translucent and rewire calls within the overlay from
be_entry_get_rw to overlay_entry_get_ov. To prevent internal calls to be_entry_get_rw
from invoking the new function (and potentially resulting in infinite recursion) I
reworked the calls to overlay_entry_get_ov to use on->on_next instead of the top of the
overlay stack. I believe that this was the original intent of these uses anyway to obtain
the local-backend information so the call should start at the next overlay, or directly to
the underlying database if there are no other overlays on the stack. I also applied a
small patch to backover.c to support passing NULL to the on parameter of
overlay_entry_get_ov and its release function to signify that the bottom of the overlay
stack has been reached and to just call the backend database. When merging remote and
local records the local records were duped and released immediately and the dupes appended
to the returned entry and the caller left responsible to call entry_free.
I have not thoroughly tested this code and I will need to rewrite it for 2.4 anyway (when
we move to it, hopefully later this year) but wanted to check if there has been any
progress on this issue that would obviate my need to port this to 2.4. If not, aside from
what I described above am I missing any glaring issues that I would need to address to get
a complete solution to this issue?
Show replies by date