Need a change to the ACL code
Nadezhda Ivanova
nivanova at samba.org
Tue Mar 2 06:53:34 MST 2010
Hi Andrew,
If I understand correctly, the problem is the acl module will no longer
receive "rename" requests and therefore cannot handle them?
One possible solution - the easiest and fastest one - would be to split the
acl module so that we have a separate rename part, which can go under rdn. I
can do that and test it easily. Another way is to implement some sort of API
for ACL checking. It would solve the module stack issue, but the checks will
be scattered around too much in the code. What do you think?
Regards,
Nadya
On Tue, Mar 2, 2010 at 9:06 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> Nadezhda,
>
> I need a hand with the ACL code, but I'm not sure what the status is
> exactly. What are we using the code for at the moment?
>
> Anyway, the change I need is to consider any change to the relative
> distinguished name (be it via rename or addition) to be a modification
> that needs to be checked.
>
> I want to use the attached patch, and then to use this module for
> OpenLDAP:
> ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c
>
> The challenge that gives is that I need to move the location in the
> module stack of rdn_name, to keep behaviour consistent.
>
> The background here is that when used with tdb, this change puts the
> "rdn_name" module further down the stack - and so it does not create
> modify requests for renames at the ACL module any more. When used with
> a patched OpenLDAP, it hopefully allows OpenLDAP to update the "name"
> attribute, so rdn_name isn't used at all. This means that the ACL
> module needs to be updated to cope with this changed circumstance.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
>
More information about the samba-technical
mailing list