Mark, Would your example prevent me from using the Compare operation? Cheers, ....Erik. Erik Skovgaard Siemens Meta-Directory Solutions Phone: +1 604-204-0750 Fax: +1 604-204-0760 -----Original Message----- From: Mark Davidson [mailto:markd@pwd.hp.com] Sent: Friday, July 06, 2001 09:32 To: Skovgaard, Erik Cc: ietf-ldapext@netscape.com Subject: Re: ACM permission > I think you will need at least a Filter Matching permission for attributes > as well. A classical way to break security in a directory is to search for > entries with userPassword=*joan* (or whatever...). > > Should there be a permission for Compare operations as well? Denying > compare on operational information could be used to keep curious users from > poking at the ACIs themselves. You could cover all this with the attribute level read. I kow this is not as fine grained as the permissions in the current draft, but it is alot less complex to admin. So in the cases you have mentioned: deny:r#OID.userPassword,OID.subtreeACI,OID.entryACI#authnLevel:none:public: Mark
Attachment:
Skovgaard, Erik.vcf
Description: Binary data