[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5705) [enhancement] slapo-constraint could honor "relax" by not checking for constraints
michael@stroeder.com wrote:
> What's the use-case for this? I'm concerned about overloading the
> semantics of Relax Rules control far beyond what's written in
> draft-zeilenga-ldap-relax.
Well, a user with "manage" privileges on related data could bypass
constraints enforced by slapo-constraint(5) by using the "relax"
control. The rationale is that a user with manage privileges could be
able to repair an entry that needs to violate a constraint for good
reasons. Note that the user:
- must have enough privileges to do it (manage)
- must inform the DSA that intends to violate the constraint (by using
the control)
I decided to overload "relax" rather than defining a specific control
because I believe this fits into the spirit of "relax". In fact, the
resulting entry would violate a constraint, but would not violate the
protocol.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------