Need a change to the ACL code

Andrew Bartlett abartlet at samba.org
Tue Mar 2 14:13:39 MST 2010


On Tue, 2010-03-02 at 23:05 +0200, Nadezhda Ivanova wrote:
> Hi Andrew,
> I guess I wasnt paying attention to the patch.
> Actually a rename/move operation has some additional access checks that need
> to pass, so relying on the modifies will not do. But I'll apply your patch
> and trace exactly what is happening, and we'll find a workaround. The change
> affects also working with tdb, right? I mean, I do not have to reprovision
> with openLDAP to see the changed flow?

Correct.  I made the change to the standard 'with tdb' module stack to
try and have consistent behaviour between backends. 

To make it more clear (I should have included an example up front):

So, imagine I am not allowed to write to attribute 'ou', and I rename an
object from 'ou=blah,dc=example,dc=com' to 'ou=foo,dc=example,dc=com'.
Nothing at the moment, as I read the code, stops this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100303/83ebfb02/attachment.pgp>


More information about the samba-technical mailing list