[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rename across trees: manageDIT?



Pierangelo Masarati wrote:

I guess this is something slightly different: I want to defer access checking to the time the backend calls acl_check_modlist(); but in that case, noUserMod attrs don't get checked because accerss checking assumes they were internally generated, while they were actually supplied by the user under the umbrella of manageDIT. So the answer is no, unless I'm missing something.

One thing I was totally missing is that right now manageDIT can only be used by the rootdn identity. If this limitation is not going to be removed, the entire idea of manage access privilege is going to be useless, and I was finding it quite interesting, because it gives a lot of freedom in delegating fine grained administration capabilities.

I have non-root manage access consistently checked for modifies and (partially) for adds (in back-bdb, at least; could be confined into access checking, though). I think manage access makes little sense for modrdn and delete, but I might have overlooked something. Should I go on and commit it?


p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497