Logged in as guest
Viewing Software Bugs/7493 Full headers
Major security issue: yes no
Notes: fixed in HEAD fixed in RE24 Notification:
Date: Tue, 15 Jan 2013 12:18:59 +0000 From: michael@stroeder.com To: openldap-its@OpenLDAP.org Subject: slapo-allowed: allowed* attrs are replicated
Full_Name: Version: RE24 6f33e2c OS: URL: Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) It seems that operational attributes generated by slapo-allowed are replicated. Syslog shows: mods check (allowedAttributes: value #0 invalid per syntax)
Date: Tue, 15 Jan 2013 04:56:30 -0800 From: hyc@symas.com To: michael@stroeder.com Cc: openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote: > Full_Name: > Version: RE24 6f33e2c > OS: > URL: > Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) > > > It seems that operational attributes generated by slapo-allowed are replicated. Works as designed. These attributes are directoryOperation, not DSA-specific. Closing this ITS. > Syslog shows: > mods check (allowedAttributes: value #0 invalid per syntax) >
Date: Tue, 15 Jan 2013 14:34:29 +0100 From: Pierangelo Masarati <masarati@aero.polimi.it> To: hyc@symas.com CC: openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On 01/15/2013 01:56 PM, hyc@symas.com wrote: > On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote: >> Full_Name: >> Version: RE24 6f33e2c >> OS: >> URL: >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) >> >> >> It seems that operational attributes generated by slapo-allowed are replicated. > > Works as designed. These attributes are directoryOperation, not DSA-specific. I see the point; since they're generated by the overlay in response to search operations, either they should not be replicated, or replication should accept them. Their value depends on ACLs, so in order to reflect ACLs on a specific DSA they should be generated; however, I concur ACLs should not depend on the specific DSA of a replication setup. I'm open to suggestions about how to fix this. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
To: openldap-its@openldap.org, <hyc@symas.com> From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com> Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated Date: Tue, 15 Jan 2013 14:38:18 +0100
On Tue, 15 Jan 2013 12:56:35 GMT hyc@symas.com wrote > > It seems that operational attributes generated by slapo-allowed are > > replicated. > > Works as designed. These attributes are directoryOperation, not DSA-specific. > Closing this ITS. The fact that slapo-allowed in contrib/ does not declare the attribute types as DSA-specific does not mean that they are not DSA-specific. I guess MS AD does not care about subschema DSA-specific or not so we have to apply common sense here. The allowed* attr values are supposed to be generated based on the local access control configuration. Since with OpenLDAP local configuration and therefore local ACLs can differ on different replicas these attrs MUST NOT be replicated. Please re-open the ITS. Ciao, Michael.
To: openldap-its@openldap.org, <masarati@aero.polimi.it> From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com> Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated Date: Tue, 15 Jan 2013 14:49:52 +0100
On Tue, 15 Jan 2013 13:37:06 GMT masarati@aero.polimi.it wrote > On 01/15/2013 01:56 PM, hyc@symas.com wrote: > > On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote: > >> Full_Name: > >> Version: RE24 6f33e2c > >> OS: > >> URL: > >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) > >> > >> > >> It seems that operational attributes generated by slapo-allowed are > >> replicated. > > > Works as designed. These attributes are directoryOperation, not > > DSA-specific. > > I see the point; since they're generated by the overlay in response to > search operations, either they should not be replicated, or replication > should accept them. > > Their value depends on ACLs, so in order to reflect ACLs on a specific > DSA they should be generated; however, I concur ACLs should not depend > on the specific DSA of a replication setup. The values depend on local ACLs *and* current authz-DN. => These attributes MUST NOT be replicated. Ciao, Michael.
To: openldap-its@openldap.org, <masarati@aero.polimi.it> From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com> Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated Date: Tue, 15 Jan 2013 14:51:33 +0100
On Tue, 15 Jan 2013 13:37:06 GMT masarati@aero.polimi.it wrote > Their value depends on ACLs, so in order to reflect ACLs on a specific > DSA they should be generated; however, I concur ACLs should not depend > on the specific DSA of a replication setup. BTW: It does make sense to have different ACLs on different replicas! Think of a master with fine-grained ACLs for entry management and read-only consumers with simpler ACLs for better performance. Ciao, Michael.
Date: Tue, 15 Jan 2013 19:40:00 +0100 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
This is a cryptographically signed message in MIME format. --------------ms020008020506010505010302 Content-Type: multipart/mixed; boundary="------------080000060105060705050402" This is a multi-part message in MIME format. --------------080000060105060705050402 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Please consider the attached patch which sets allowed "USAGE dSAOperation". This seems to be the most appropriate USAGE compara= ble to what's set for entryTTL in slapo-dds. I, Michael Str=F6der, hereby place the attached modifications to OpenLDAP= Software (and only these modifications) into the public domain. Hence, th= ese modifications may be freely used and/or redistributed for any purpose wit= h or without attribution and/or other notice. Ciao, Michael. --------------080000060105060705050402 Content-Type: text/x-patch; name="openldap_its7493.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="openldap_its7493.patch" diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modu= les/allowed/allowed.c index b44461a..0099b70 100644 --- a/contrib/slapd-modules/allowed/allowed.c +++ b/contrib/slapd-modules/allowed/allowed.c @@ -73,7 +73,7 @@ static struct { /* added by me :) */ "DESC 'Child classes allowed for a given object' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedChildClasses }, + "USAGE dSAOperation )", &ad_allowedChildClasses }, { "( " AA_SCHEMA_AT ".912 " "NAME 'allowedChildClassesEffective' " "EQUALITY objectIdentifierMatch " @@ -81,7 +81,7 @@ static struct { /* added by me :) */ "DESC 'Child classes allowed for a given object according to ACLs' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedChildClassesEffective }, + "USAGE dSAOperation )", &ad_allowedChildClassesEffective }, { "( " AA_SCHEMA_AT ".913 " "NAME 'allowedAttributes' " "EQUALITY objectIdentifierMatch " @@ -89,7 +89,7 @@ static struct { /* added by me :) */ "DESC 'Attributes allowed for a given object' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedAttributes }, + "USAGE dSAOperation )", &ad_allowedAttributes }, { "( " AA_SCHEMA_AT ".914 " "NAME 'allowedAttributesEffective' " "EQUALITY objectIdentifierMatch " @@ -97,7 +97,7 @@ static struct { /* added by me :) */ "DESC 'Attributes allowed for a given object according to ACLs' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedAttributesEffective }, + "USAGE dSAOperation )", &ad_allowedAttributesEffective }, =20 /* TODO: add objectClass stuff? */ =20 --------------080000060105060705050402-- --------------ms020008020506010505010302 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlb
Date: Tue, 15 Jan 2013 20:00:11 +0100 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated (re-sent)
This is a multi-part message in MIME format. --------------090002030703010005000105 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit (Re-sent without S/MIME signature to make ITS software happy) Please consider the attached patch which sets allowed "USAGE dSAOperation". This seems to be the most appropriate USAGE comparable to what's set for entryTTL in slapo-dds. I, Michael Str.der, hereby place the attached modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. Ciao, Michael. --------------090002030703010005000105 Content-Type: text/x-patch; name="openldap_its7493.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="openldap_its7493.patch" diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c index b44461a..0099b70 100644 --- a/contrib/slapd-modules/allowed/allowed.c +++ b/contrib/slapd-modules/allowed/allowed.c @@ -73,7 +73,7 @@ static struct { /* added by me :) */ "DESC 'Child classes allowed for a given object' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedChildClasses }, + "USAGE dSAOperation )", &ad_allowedChildClasses }, { "( " AA_SCHEMA_AT ".912 " "NAME 'allowedChildClassesEffective' " "EQUALITY objectIdentifierMatch " @@ -81,7 +81,7 @@ static struct { /* added by me :) */ "DESC 'Child classes allowed for a given object according to ACLs' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedChildClassesEffective }, + "USAGE dSAOperation )", &ad_allowedChildClassesEffective }, { "( " AA_SCHEMA_AT ".913 " "NAME 'allowedAttributes' " "EQUALITY objectIdentifierMatch " @@ -89,7 +89,7 @@ static struct { /* added by me :) */ "DESC 'Attributes allowed for a given object' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedAttributes }, + "USAGE dSAOperation )", &ad_allowedAttributes }, { "( " AA_SCHEMA_AT ".914 " "NAME 'allowedAttributesEffective' " "EQUALITY objectIdentifierMatch " @@ -97,7 +97,7 @@ static struct { /* added by me :) */ "DESC 'Attributes allowed for a given object according to ACLs' " "NO-USER-MODIFICATION " - "USAGE directoryOperation )", &ad_allowedAttributesEffective }, + "USAGE dSAOperation )", &ad_allowedAttributesEffective }, /* TODO: add objectClass stuff? */ --------------090002030703010005000105--
Date: Wed, 16 Jan 2013 09:07:38 +0100 From: Pierangelo Masarati <masarati@aero.polimi.it> To: michael@stroeder.com CC: openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On 01/15/2013 07:40 PM, michael@stroeder.com wrote: > Please consider the attached patch which sets allowed > "USAGE dSAOperation". This seems to be the most appropriate USAGE compara= > ble > to what's set for entryTTL in slapo-dds. No objection with this patch, since those properties were "arbitrarily" assigned to attributes defined by others to provide software interoperability. Unless anyone has objections, I'd commit it. Thanks, p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Date: Wed, 16 Jan 2013 05:08:36 -0800 From: Howard Chu <hyc@symas.com> To: masarati@aero.polimi.it, openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
masarati@aero.polimi.it wrote: > On 01/15/2013 07:40 PM, michael@stroeder.com wrote: > >> Please consider the attached patch which sets allowed >> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara= >> ble >> to what's set for entryTTL in slapo-dds. > > No objection with this patch, since those properties were "arbitrarily" > assigned to attributes defined by others to provide software > interoperability. Unless anyone has objections, I'd commit it. Go ahead. Please add a comment about the origin of the schema definitions and these interoperability concerns. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Wed, 16 Jan 2013 19:09:49 +0100 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: hyc@symas.com CC: openldap-its@openldap.org, masarati@aero.polimi.it Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
hyc@symas.com wrote: > masarati@aero.polimi.it wrote: >> On 01/15/2013 07:40 PM, michael@stroeder.com wrote: >> >>> Please consider the attached patch which sets allowed >>> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara= >>> ble >>> to what's set for entryTTL in slapo-dds. >> >> No objection with this patch, since those properties were "arbitrarily" >> assigned to attributes defined by others to provide software >> interoperability. Unless anyone has objections, I'd commit it. > > Go ahead. Please add a comment about the origin of the schema definitions and > these interoperability concerns. These attribute type descriptions were roughly taken from MS AD. Today I've checked the subschema of a W2K8R2 AD server: I did not find a single attribute type description with USAGE although there were attribute types formally defined in RFCs. One example is 'entryTTL' defined with "USAGE dSAOperation" in RFC 2589 which in fact was co-authored by Microsoft employees. The official Microsoft documentation is here [MS-ADA1]: http://msdn.microsoft.com/en-us/library/cc219752.aspx Ciao, Michael.
Date: Wed, 16 Jan 2013 20:10:12 +0000 From: Howard Chu <hyc@symas.com> To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> CC: openldap-its@openldap.org, masarati@aero.polimi.it Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Michael Str.der wrote: > hyc@symas.com wrote: >> masarati@aero.polimi.it wrote: >>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote: >>> >>>> Please consider the attached patch which sets allowed >>>> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara= >>>> ble >>>> to what's set for entryTTL in slapo-dds. >>> >>> No objection with this patch, since those properties were "arbitrarily" >>> assigned to attributes defined by others to provide software >>> interoperability. Unless anyone has objections, I'd commit it. >> >> Go ahead. Please add a comment about the origin of the schema definitions and >> these interoperability concerns. > > These attribute type descriptions were roughly taken from MS AD. I meant, please add a comment *in the patch* so it will remain in the source code. > Today I've checked the subschema of a W2K8R2 AD server: > I did not find a single attribute type description with USAGE although there > were attribute types formally defined in RFCs. One example is 'entryTTL' > defined with "USAGE dSAOperation" in RFC 2589 which in fact was co-authored by > Microsoft employees. > > The official Microsoft documentation is here [MS-ADA1]: > > http://msdn.microsoft.com/en-us/library/cc219752.aspx > > Ciao, Michael. >
Date: Wed, 16 Jan 2013 21:14:26 +0100 Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated From: "Pierangelo Masarati" <masarati@aero.polimi.it> To: "Howard Chu" <hyc@symas.com> Cc: =?iso-8859-15?Q?=22Michael_Str=F6der=22?= <michael@stroeder.com>, openldap-its@openldap.org
> Michael Str.der wrote: >> hyc@symas.com wrote: >>> masarati@aero.polimi.it wrote: >>>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote: >>>> >>>>> Please consider the attached patch which sets allowed >>>>> "USAGE dSAOperation". This seems to be the most appropriate USAGE >>>>> compara= >>>>> ble >>>>> to what's set for entryTTL in slapo-dds. >>>> >>>> No objection with this patch, since those properties were >>>> "arbitrarily" >>>> assigned to attributes defined by others to provide software >>>> interoperability. Unless anyone has objections, I'd commit it. >>> >>> Go ahead. Please add a comment about the origin of the schema >>> definitions and >>> these interoperability concerns. >> >> These attribute type descriptions were roughly taken from MS AD. > > I meant, please add a comment *in the patch* so it will remain in the > source code. There's already a detailed comment to this end in the related README, which links the attribute definitions on <http://msdn.microsoft.com/>. p. >> Today I've checked the subschema of a W2K8R2 AD server: >> I did not find a single attribute type description with USAGE although >> there >> were attribute types formally defined in RFCs. One example is 'entryTTL' >> defined with "USAGE dSAOperation" in RFC 2589 which in fact was >> co-authored by >> Microsoft employees. >> >> The official Microsoft documentation is here [MS-ADA1]: >> >> http://msdn.microsoft.com/en-us/library/cc219752.aspx >> >> Ciao, Michael. >> > > > > -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Date: Wed, 16 Jan 2013 20:30:00 +0000 From: Howard Chu <hyc@symas.com> To: masarati@aero.polimi.it, openldap-its@openldap.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
masarati@aero.polimi.it wrote: >> Michael Str.der wrote: >>> hyc@symas.com wrote: >>>> masarati@aero.polimi.it wrote: >>>>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote: >>>>> >>>>>> Please consider the attached patch which sets allowed >>>>>> "USAGE dSAOperation". This seems to be the most appropriate USAGE >>>>>> compara= >>>>>> ble >>>>>> to what's set for entryTTL in slapo-dds. >>>>> >>>>> No objection with this patch, since those properties were >>>>> "arbitrarily" >>>>> assigned to attributes defined by others to provide software >>>>> interoperability. Unless anyone has objections, I'd commit it. >>>> >>>> Go ahead. Please add a comment about the origin of the schema >>>> definitions and >>>> these interoperability concerns. >>> >>> These attribute type descriptions were roughly taken from MS AD. >> >> I meant, please add a comment *in the patch* so it will remain in the >> source code. > > There's already a detailed comment to this end in the related README, > which links the attribute definitions on <http://msdn.microsoft.com/>. As already noted, those links don't provide actual schema definitions, nor do they define the USAGE. We're making a judgement call here with no documentation to support it. We should document why we're defining it this way so we don't have to repeat this conversation again down the road. > > p. > >>> Today I've checked the subschema of a W2K8R2 AD server: >>> I did not find a single attribute type description with USAGE although >>> there >>> were attribute types formally defined in RFCs. One example is 'entryTTL' >>> defined with "USAGE dSAOperation" in RFC 2589 which in fact was >>> co-authored by >>> Microsoft employees. >>> >>> The official Microsoft documentation is here [MS-ADA1]: >>> >>> http://msdn.microsoft.com/en-us/library/cc219752.aspx >>> >>> Ciao, Michael. >>> >> >> >> >> > >
Date: Sat, 26 Jan 2013 14:30:59 +0100 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: openldap-its@OpenLDAP.org Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Any chance to see this patch appear in 2.4.34? Ciao, Michael.
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
