[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: JDNI allows non-schema changes (ITS#2151)

To: openldap-its@OpenLDAP.org
Subject: Re: JDNI allows non-schema changes (ITS#2151)
From: Kurt@OpenLDAP.org
Date: Fri, 25 Oct 2002 20:39:33 GMT

At 12:32 PM 2002-10-25, quanah@stanford.edu wrote:
>Well, suKerberosService and krb5Principal are not part of suPerson, so I 
>think that would then mean they aren't implicitly present?

Yes.  If suPerson doesn't SUP suKerberosService or krb5Principal,
then an objectClass which lists only explicitly lists suPerson
does not implicitly list suKerberosService nor krb5Principal.
In this case, you may be able to use ACLs (with "by filter="
clauses) to deny addition of entries which belong to
the suPerson but don't belong to either suKerberosService or
krb5Principal.   For example,

 access to attrs=entry
  filter=(&(objectClass=suPerson)(objectClass=suKerberosService)(objectclass=krb5Principal))
        by self write
        ...

 access to attrs=entry filter=(objectClass=suPerson)
        by self none
        ...

I intend to now close this ITS as not being indicative of a
software bug.  The "software use" issue should be continued
on the software list.

Kurt

Prev by Date: Re: JDNI allows non-schema changes (ITS#2151)
Next by Date: Re: allow anonymous_update (ITS#2155)
Index(es):
- Chronological
- Thread