Need a change to the ACL code
Nadezhda Ivanova
nivanova at samba.org
Tue Mar 2 14:05:58 MST 2010
Hi Andrew,
I guess I wasnt paying attention to the patch.
Actually a rename/move operation has some additional access checks that need
to pass, so relying on the modifies will not do. But I'll apply your patch
and trace exactly what is happening, and we'll find a workaround. The change
affects also working with tdb, right? I mean, I do not have to reprovision
with openLDAP to see the changed flow?
Regards,
Nadya
On Tue, Mar 2, 2010 at 10:38 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2010-03-02 at 15:53 +0200, Nadezhda Ivanova wrote:
> > Hi Andrew,
> > If I understand correctly, the problem is the acl module will no
> > longer receive "rename" requests and therefore cannot handle them?
> > One possible solution - the easiest and fastest one - would be to
> > split the acl module so that we have a separate rename part, which can
> > go under rdn. I can do that and test it easily. Another way is to
> > implement some sort of API for ACL checking. It would solve the module
> > stack issue, but the checks will be scattered around too much in the
> > code. What do you think?
>
> No, it's actually the opposite. At the moment, there is no need to
> check that the RDN is permitted to be modified, because a rename will
> also have a 'modify' directly before or after it, in the same
> transaction.
>
> Now, the rename will not have that associated modify when it passes
> though the ACL module.
>
> I'm sorry if I wasn't clear - it's a difficult change to explain :-(
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
More information about the samba-technical
mailing list