[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: JDNI allows non-schema changes (ITS#2151)

At 12:32 PM 2002-10-25, quanah@stanford.edu wrote:
>Well, suKerberosService and krb5Principal are not part of suPerson, so I 
>think that would then mean they aren't implicitly present?

Yes.  If suPerson doesn't SUP suKerberosService or krb5Principal,
then an objectClass which lists only explicitly lists suPerson
does not implicitly list suKerberosService nor krb5Principal.
In this case, you may be able to use ACLs (with "by filter="
clauses) to deny addition of entries which belong to
the suPerson but don't belong to either suKerberosService or
krb5Principal.   For example,

 access to attrs=entry
        by self write

 access to attrs=entry filter=(objectClass=suPerson)
        by self none

I intend to now close this ITS as not being indicative of a
software bug.  The "software use" issue should be continued
on the software list.