[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6299) Support for RFC 4529 in slapo-allowed

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6299) Support for RFC 4529 in slapo-allowed
From: michael@stroeder.com
Date: Wed, 23 Sep 2009 16:02:09 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

masarati@aero.polimi.it wrote:
>> If the client wants to request via slapo-allowed which attributes are
>> readable/writeable before adding another object class then object classes
>> not
>> yet part of the entry could be used if the client adds the object class
>> name
>> prefixed with @. This is an extension to the semantics but should not
>> cause any
>> problem with existing clients.
> 
> with the current implementation of slapo-allowed, the client does not do
> anything specific but requesting those special operational attributes.

Yes. That's what I've implemented. Well, what slapo-allowed and MS AD
implement is limited anyway. E.g. no way to determine writeable attrs when
adding new entries.

> It is not clear to me how the semantics you propose should be activated. 
> If you mean that having some "@" + <objectClass> in the requested attrs
> should populate the allowedAttributes and allowedAttributesEffective
> attributes, I think it would be a significant distortion of the meaning of
> the requested attributes.

Yes, my suggestion was that slapo-allowed looks at the attr list in the search
request for occurences of "@" + <objectClass>. And then use each <objectClass>
(if not yet in the set of current object classes of the entry) to evaluate the
accompanying attrs and put them into allowedAttributes and/or
allowedAttributesEffective.

Yes, that's a change in the current semantics.

I now partially worked around the problem with new object classes in web2ldap
by determining which attrs would be really new when adding a set of object
classes enabling all the input fields for these new attrs. But off course
that's not nice.

> I'd rather favor defining a specific control request, that sort of
> "mimics" adding some attributes, including objectClass values, to an
> existing entry, so that allowedAttributes and allowedAttributesEffective
> are populated accordingly.

There are some implementations of the Get Effective Rights control but they
seem to slightly differ.

Ciao, Michael.

Prev by Date: Re: (ITS#6302) second-guessing of libsasl ABI is incorrect for Linux distributions
Next by Date: Re: (ITS#6299) Support for RFC 4529 in slapo-allowed
Index(es):
- Chronological
- Thread