[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)

To: ando@sys-net.it
Subject: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 22 Nov 2004 09:59:30 +0100 (CET)
Cc: Michael Ströder <michael@stroeder.com>, "John Woodell" <woodie@worldpac.com>, openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=kkKAQI1XQ+nCsKIa+QNHmCypv1bwJilQC/mI0cDXGeVWXyTKOReKs/eZqqIj6t7tA vdn3zmy5/p3H3+2LXzBTA==
Importance: Normal
In-reply-to: <33821.81.74.43.82.1101113045.squirrel@81.74.43.82>
References: <200411191051.13403.misty@borkholder.com> <m37johequh.fsf@marin.l4b.de> <419E876D.5050804@worldpac.com> <41A19CAE.2040302@stroeder.com> <33821.81.74.43.82.1101113045.squirrel@81.74.43.82>
User-agent: SquirrelMail/1.4.3a-1

> On a related note, I see that the current implementation of ACIs relies on
> the ordering of multivalued attributes; in fact, ACI values are evalated
> in the order they appear, and as soon as one matches, the checking
> terminates.; of course, writing ACIs with different values of the
> OpenLDAPaci attributes that overlap whould be considered wrong, but in any
> case it is possible and I guess in some cases it may also be considered
> desirable (I didn't consider this enough to exclude that possibility).

I overlooked the design; the above is only partially true, in the sense
that all rules (i.e. all values) are evaluated for a single object; what I
haven't understood yet is if the order in which they are evaluated is
irrelevant or may alter the resulting permissions.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: Michael Ströder <michael@stroeder.com>

References:
- ACL questsion about "by group"
  - From: Misty Stanley-Jones <misty@borkholder.com>
- Re: ACL questsion about "by group"
  - From: Dieter Kluenter <dieter@dkluenter.de>
- are mulivalued attributes really unordered?
  - From: John Woodell <woodie@worldpac.com>
- Re: are mulivalued attributes really unordered?
  - From: Michael Ströder <michael@stroeder.com>
- ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: libsldap: Status: 91 Mesg: openConnection: failed to connect using TLS (No such file or directory)
Next by Date: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
Index(es):
- Chronological
- Thread