[Freeipa-devel] [389-devel] Design review (second): Access control on entries specified in MODDN operation (ticket 47553)

[thierry bordaz]

HI Ludwig,

Thanks for catching that, I will update the doc.
When the legacy server receives an aci with that new syntax, it does not 
recognize the new keywords (moddn, target_to, target_from) so the parser 
fails and the aci is simply ignored.
In the implementation (__aclp__parse_ac) , 'target_to' and 'target_from' 
should be tested before 'target' because the way it is coded 
'target_to'/'target_from' could be interpreted as 'target' keyword.

regards
thierry
On 02/27/2014 05:36 PM, Ludwig Krispenz wrote:
> Hi,
>
> in the replication section you describe the behaviour when replicating 
> to older versions of ds, but this is for n1, how about the new design ?
>
> Ludwig
> On 02/27/2014 04:46 PM, thierry bordaz wrote:
>> Hello,
>>
>> Thanks to all your feedbacks, they helped me a lot and raised a 
>> severe limitation in the original design.
>> I updated the design following the aci syntax proposed during the 
>> discussion.
>> On the implementation side, it is a bit more complex but less than I 
>> expected. I have not yet investigated the impact of ger operations.
>>
>> I think a big work will be the test side as the ACI syntax provides 
>> many options.
>>
>> http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation
>>
>> Note: I kept for the moment the original design in 'alternative no1'.
>>
>> regards
>> thierry
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140228/8e03a83a/attachment.htm>