[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
From: michael@stroeder.com
Date: Tue, 15 Jan 2013 13:50:01 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Tue, 15 Jan 2013 13:37:06 GMT masarati@aero.polimi.it wrote

> On 01/15/2013 01:56 PM, hyc@symas.com wrote:
> > On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote:
> >> Full_Name:
> >> Version: RE24 6f33e2c
> >> OS:
> >> URL:
> >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
> >>
> >>
> >> It seems that operational attributes generated by slapo-allowed are
> >> replicated. >
> > Works as designed. These attributes are directoryOperation, not
> > DSA-specific. 
>
> I see the point; since they're generated by the overlay in response to 
> search operations, either they should not be replicated, or replication 
> should accept them.
> 
> Their value depends on ACLs, so in order to reflect ACLs on a specific 
> DSA they should be generated; however, I concur ACLs should not depend 
> on the specific DSA of a replication setup.

The values depend on local ACLs *and* current authz-DN.

=> These attributes MUST NOT be replicated.

Ciao, Michael.

Prev by Date: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Next by Date: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Index(es):
- Chronological
- Thread