[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapACI permissions
Rick/Ryan,
Page 12:
TECHNICAL:
e EditDN Edit an entry's DN
b BrowseDN Browse an entry's DN
How is EditDN permission different from Write permission on the naming
attribute? How is BrowseDN permission different from Search permission
on the naming attribute? Can I have EditDN permission on the entry
without explicit Write permission on the naming attribute of the
entry? What would it mean?
(EJS) EditDN and BrowseDN work at the entry level (DN) and equate to
permissions
to modify/access the DN for ldapmodifyDN/ldapmodifyRDN/ldapSearch operations.
Write works at the attribute level on attributes.
And do we really need both Search and Compare permissions?
(EJS) Yes, search and compare and 2 different operations.
TECHNICAL: What's the interaction between "[entry]" and attributes: if
somebody has add permission for objects but is denied permissions for
certain attributes, what happens?
(EJS) None. [entry] applies to the permissions a/d/e/b. [all] applies to the
permissions for attributes. If a person has add permission, then he can add
an entry and its attributes to that place in the DIT. The permissions for the
attributes he added as part of adding that entry are governed by the access
control attribute (ldapACI) that is added to that entry.
Ellen