[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5705) [enhancement] slapo-constraint could honor "relax" by not checking for constraints

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5705) [enhancement] slapo-constraint could honor "relax" by not checking for constraints
From: ando@sys-net.it
Date: Sun, 12 Oct 2008 21:30:04 GMT

michael@stroeder.com wrote:

> What's the use-case for this? I'm concerned about overloading the
> semantics of Relax Rules control far beyond what's written in
> draft-zeilenga-ldap-relax.

Well, a user with "manage" privileges on related data could bypass 
constraints enforced by slapo-constraint(5) by using the "relax" 
control.  The rationale is that a user with manage privileges could be 
able to repair an entry that needs to violate a constraint for good 
reasons.  Note that the user:

- must have enough privileges to do it (manage)

- must inform the DSA that intends to violate the constraint (by using 
the control)

I decided to overload "relax" rather than defining a specific control 
because I believe this fits into the spirit of "relax".  In fact, the 
resulting entry would violate a constraint, but would not violate the 
protocol.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5705) [enhancement] slapo-constraint could honor "relax" by not checking for constraints
Next by Date: Re: (ITS#5705) [enhancement] slapo-constraint could honor "relax" by not checking for constraints
Index(es):
- Chronological
- Thread