Emmanuel Dreyfus wrote:
Pierangelo Masarati ando@sys-net.it wrote:
I mean: test006 is broken now, we can no longer make test. You should check why the test is broken and try to fix it :) Probably, according to the old access rule, a user with "add" permission for entries is adding an entry without having "add" permission on all the attributes.
The culprit is the ACL on attrs=objectclass at the top of the file: access to attrs=objectclass by * =rsc stop
If I change it that way, test006 passes: access to attrs=objectclass by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add by * =rsc stop
Not sure it is a correct fix, through.
Sounds correct. I mean: since no objectClass modification was performed in the test, given the expected behavior of access control for add operations, there was no need to give anyone add permission on objectClass. What you suggest seems to be the minimal add permission to let the test pass, and I think it's fine to re-enable that test right now. Should the test change (more add operations) acls will be tweaked further.
Go ahead and commit :)
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------