Re: (ITS#5884) disclose ACL not safe on non-leaf objects

[ando@sys-net.it]

I think you're sort of overexpecting from this feature.  The basic 
existence of "disclose" within the access privileges means that 
adiminstrators can get most of the advantage out of it.  But think of 
what you are asking for: you want to be able to say "well, the whole 
tree must not be disclosable.  According to slapd's ACL paradigm, I'll 
start enumerating access privileges narrow from broad, *but*, for the 
disclose level, I want it to work broad from narrow.  I agree it would 
be quite useful to be able to just say "access has to be exactly what I 
have in mind, no more, no less", but somehow you need to be able to 
translate your expectation in an inevitably limited language that slapd 
can understand.  For this reason, you need to explicitly add "disclose" 
access whenever you're detailing access to "narrow", since you can't 
expect "broad" to overcome "narrow" when "narrow" comes first.  Hope I 
made the point.  Regardless of what any of us considers the "expected" 
or the "favored" behavior, slapd's ACLs work like that.  Either you 
write them the way slapd expects them, or you'll get a behavior 
different from expected.  Of course, feel free to propose a totally 
different, at least identically flexible and more user-friendly way to 
describe access privileges.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------