----- Howard Chu hyc@symas.com ha scritto:
Emmanuel Dreyfus wrote:
Howard Chuhyc@symas.com wrote:
I think Emmanuel's patch looks correct, and the corresponding patch needs to be made for a lot of other backends.
Cool, I can do that. Two other questions:
- do we want an option to enable this behavior? The change could affect
existing setups that rely on this "feature"
I'm inclined not to have a particular option for this. It's simply plugging a long-standing hole.
As I said, I agrfee about the hole; however, I remember raising this issue myself earlier and receiving a satisfactory response about the fact that the current software complies with specs. I need to dig this out.
- should modrdn be fixed the same way? Other operations?
I'm not yet convinced. What's the scenario you see here?
Unless one uses authzTo/authzFrom as a naming attribute, I don't see any issue. I haven't checked, but I believe modrdn already needs to comply with ACLs in a manner that allows finge-grain enough control. In fact, modrdn needs to pass access control both for the old and the new (r)dn, and the use of filters, sets and so allows to condition access on the entry's content.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------