https://bugzilla.redhat.com/attachment.cgi?id=453261&action="">
Thanks to Nathan for his review on the first proposal. I'm adding
this change following Rich's suggestion.
Following the suggestion by Rich, adding "nsslapd-securelistenhost" to the
default nsslapd-allowed-to-delete-attrs list.
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6b58dde..a7cc1bc 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1013,6 +1013,8 @@ FrontendConfig_init () {
cfg->entryusn_global = LDAP_OFF;
slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
slapi_ch_strdup("nsslapd-listenhost"));
+ slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+ slapi_ch_strdup("nsslapd-securelistenhost"));
#ifdef MEMPOOL_EXPERIMENTAL
cfg->mempool_switch = LDAP_ON;
Description:
1. Originally, configuration attributes are designed not to allow
adding or deleting, but to allow just replacing. Due to a defect
in checking the add operation, adding (LDAP_MOD_ADD) is not
rejected.
Instead of fixing the add checking to disallow adding, this patch
logs the operation in the error log.
2. On the other hand, deleting configuration attributes is
rejected
by LDAP_UNWILLING_TO_PERFORM. We have a request that some
attributes
need to allow to delete. This patch introduces a config attribute
nsslapd-allowed-to-delete-attrs, which value is configuration
attributes separated by a space ' '. If an attribute is in the
list,
the attribute is allowed to delete. The delete operation is also
logged in the error log.
By default, the list contains "nsslapd-listenhost" and
"nsslapd-securelistenhost".
Files:
Âldap/servers/slapd/configdse.c
Âldap/servers/slapd/libglobs.c
Âldap/servers/slapd/proto-slap.h
Âldap/servers/slapd/slap.h
Thanks,
--noriko
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
