[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapACI permissions

To: rvh@qsun.mt.att.com (Richard V Huber), blakley@dascom.com, djbyrne@us.ibm.com
Subject: ldapACI permissions
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Tue, 21 Mar 2000 07:31:44 -0600
Cc: ietf-ldapext@netscape.com
Resent-date: Tue, 21 Mar 2000 05:30:12 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <e4HpZD.A.AxC.Al314@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Rick/Ryan,


Page 12:

TECHNICAL:

                e    EditDN   Edit an entry's DN
                b    BrowseDN Browse an entry's DN

How is EditDN permission different from Write permission on the naming
attribute?  How is BrowseDN permission different from Search permission
on the naming attribute?  Can I have EditDN permission on the entry
without explicit Write permission on the naming attribute of the
entry?  What would it mean?

(EJS) EditDN and BrowseDN work at the entry level (DN) and equate to permissions to modify/access the DN for ldapmodifyDN/ldapmodifyRDN/ldapSearch operations. Write works at the attribute level on attributes.


And do we really need both Search and Compare permissions?
(EJS)  Yes, search and compare and 2 different operations.

TECHNICAL: What's the interaction between "[entry]" and attributes: if
somebody has add permission for objects but is denied permissions for
certain attributes, what happens?


(EJS) None.  [entry] applies to the permissions a/d/e/b.  [all] applies to the
permissions for attributes.  If a person has add permission, then he can add
an entry and its attributes to that place in the DIT.  The permissions for the
attributes he added as part of adding that entry are governed by the access
control attribute (ldapACI) that is added to that entry.

Ellen

Prev by Date: TLS graceful closure
Next by Date: Re: ldapACI: collection and attribute list
Index(es):
- Chronological
- Thread