[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#1383

To: openldap-its@OpenLDAP.org
Subject: ITS#1383
From: kevin.mccarthy@chipdata.com
Date: Wed, 10 Oct 2001 17:48:20 GMT

This syntax corrects the issue:

OpenLDAPaci:
1.2.3#entry#grant;r;[entry];r,s;cn,member#group#cn=group1...

The described behavior is not the same as that in practice. It appears
all rights not explicitly granted are implicitly denied, resulting in
every "by aci" directive ending necessarily in a stop, regardless of
whether the subject is matched by DN and/or group membership. A
non-matched subject results in no-access to [entry]. 

Granting access to [all] implies [entry], but granting access only to
attributes does not imply [entry]. I think that granting r to any
attribute should imply granting r to [entry], but I expect there are
reasons for the current interpretation.

Prev by Date: Re: Kerberos 5 checks incorrect in clients/ud (ITS#1384)
Next by Date: Re: index corruption (1164) still present in 2.0.15 with db 3.1.17 (ITS#1359)
Index(es):
- Chronological
- Thread