[389-devel] Please review (take 2): [Bug 602456] Allow to add any cn=config attributes; allow to delete some cn=config attributes

Noriko Hosoi nhosoi at redhat.com
Wed Oct 13 18:38:22 UTC 2010 

  https://bugzilla.redhat.com/show_bug.cgi?id=602456

https://bugzilla.redhat.com/attachment.cgi?id=453261&action=diff
https://bugzilla.redhat.com/attachment.cgi?id=453261&action=edit

Thanks to Nathan for his review on the first proposal.  I'm adding this 
change following Rich's suggestion.

Following the suggestion by Rich, adding "nsslapd-securelistenhost" to the
default nsslapd-allowed-to-delete-attrs list.

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6b58dde..a7cc1bc 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1013,6 +1013,8 @@ FrontendConfig_init () {
    cfg->entryusn_global = LDAP_OFF;
    slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
                       slapi_ch_strdup("nsslapd-listenhost"));
+  slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+                     slapi_ch_strdup("nsslapd-securelistenhost"));

  #ifdef MEMPOOL_EXPERIMENTAL
    cfg->mempool_switch = LDAP_ON;


> Description:
> 1. Originally, configuration attributes are designed not to allow
> adding or deleting, but to allow just replacing.  Due to a defect
> in checking the add operation, adding (LDAP_MOD_ADD) is not rejected.
> Instead of fixing the add checking to disallow adding, this patch
> logs the operation in the error log.
> 2. On the other hand, deleting configuration attributes is rejected
> by LDAP_UNWILLING_TO_PERFORM.  We have a request that some attributes
> need to allow to delete.  This patch introduces a config attribute
> nsslapd-allowed-to-delete-attrs, which value is configuration
> attributes separated by a space ' '.  If an attribute is in the list,
> the attribute is allowed to delete.  The delete operation is also
> logged in the error log.
By default, the list contains "nsslapd-listenhost" and 
"nsslapd-securelistenhost".

> Files:
>  ldap/servers/slapd/configdse.c
>  ldap/servers/slapd/libglobs.c
>  ldap/servers/slapd/proto-slap.h
>  ldap/servers/slapd/slap.h
>
>
> Thanks,
> --noriko
>
>
> --
> 389-devel mailing list
> 389-devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-devel/attachments/20101013/9dc29322/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6646 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20101013/9dc29322/attachment-0001.bin

More information about the 389-devel mailing list