[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5884) disclose ACL not safe on non-leaf objects
I think you're sort of overexpecting from this feature. The basic
existence of "disclose" within the access privileges means that
adiminstrators can get most of the advantage out of it. But think of
what you are asking for: you want to be able to say "well, the whole
tree must not be disclosable. According to slapd's ACL paradigm, I'll
start enumerating access privileges narrow from broad, *but*, for the
disclose level, I want it to work broad from narrow. I agree it would
be quite useful to be able to just say "access has to be exactly what I
have in mind, no more, no less", but somehow you need to be able to
translate your expectation in an inevitably limited language that slapd
can understand. For this reason, you need to explicitly add "disclose"
access whenever you're detailing access to "narrow", since you can't
expect "broad" to overcome "narrow" when "narrow" comes first. Hope I
made the point. Regardless of what any of us considers the "expected"
or the "favored" behavior, slapd's ACLs work like that. Either you
write them the way slapd expects them, or you'll get a behavior
different from expected. Of course, feel free to propose a totally
different, at least identically flexible and more user-friendly way to
describe access privileges.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------