Pierangelo Masarati wrote:
Howard Chu wrote:
>
> I think the groups should not even have been cached in the first
> place; lookups for auth purposes usually set op->o_nocaching.
You're right; but the point doesn't seem to be about caching during
the authorization-related internal lookup; caching seems to occur
earlier, while checking access to the authzTo/authzFrom attrs. There
might be some issue in the authz resolution.
The issue seems to occur in
slap_sasl_check_authz(), which calls
backend_attribute() to gather authzTo/authzFrom complying with access
control. The point is: should "no caching" be set here or directly in
backend_attribute()? It seems to me that few cases of using
backend_attribute() would require caching of access control...
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------