[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
> At 06:12 AM 4/20/2004, ando@sys-net.it wrote:
>>> I don't think it is broke, but intended behavior:
>>>
>>> If their are global acls, they apply to all databases
>>> after any db acls. If the db has no acls, global acls
>>> are used.
>>>
>>> If the target is not within any database, acls of
>>> first database (then global acls) apply.
>>>
>>> It's been this way for many years (long before SLAPI).
>>
>>I'll revert in a moment. My concern was that
>>when addressing rootDSE or cn=subschema, I had
>>to run thru the first database rules, which is
>>counterintuitive; wouldn't it be better to
>>address this specifical case by short-circuiting
>>to global_acl?
>
> Then they wouldn't be global acls. They'd be
> acls which applied to objects outside of all
> databases. While it might make sense to have
> a set of ACLs which applied to this set of
> objects, it is different set concept than
> intended.
>
> (Note that global ACLs were invented before there
> was a root DSE or cn=subschema.)
I mean:
- DN is within namingContext?
apply namingContextACL, then globalACL
- DN is not within namingContext?
apply globalACL
This (to me) would sound more intuitive:
go from local to global; stay global otherwise.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it