[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)

To: openldap-its@OpenLDAP.org
Subject: Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
From: Kurt@OpenLDAP.org
Date: Tue, 20 Apr 2004 17:02:02 GMT

I wouldn't have much problem with slapd only applying
global ACLs to entries outside of contexts IF
global ACLs were specified.  But if no global ACLs were
specified, then first database ACLs should be applied.

This give you your shortcut without, I hope, breaking
deployments which rely on the existing behavior.

Kurt

At 07:37 AM 4/20/2004, ando@sys-net.it wrote:
>Let me elaborate just a bit more: I'm not saying the code is wrong;
>actually, the current behavior never looked even strange to me because
>when I usually design ACLs I don't happen to trigger this type of
>problems.  I was playing with my new slapacl toy, and I noticed
>this behavior was a bit counterintuitive for my usual ACL coding
>style.
>
>Usually I do:
>
>access to *
>  by * read
>
>database xxx
>suffix <namingContext>
>
>access to <specific>
>  by <who> <level>
>
># ...
>
>access to <namingContext>
>  by <who> <level>
>
>so there's never any problem, because all database rules stop at
><namingContext>.  I had one when as last database rule I used
>
>access to *
>  by * read
>
>which shadowed the global rules when accessing "cn=subschema", but it's
>not something I'm going to exploit in real deployments.  If I don't add
>this rule, then global rules catch all at the end.  What disturbs me is
>when I'm testing access to something that's outside the namingContext the
>database rules were designed for.
>
>p.
>
>
>-- 
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it

Prev by Date: JLDAP DSMLWriter doesn't handle XML special characters (ITS#3099)
Next by Date: Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
Index(es):
- Chronological
- Thread