[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
> I don't think it is broke, but intended behavior:
>
> If their are global acls, they apply to all databases
> after any db acls. If the db has no acls, global acls
> are used.
>
> If the target is not within any database, acls of
> first database (then global acls) apply.
>
> It's been this way for many years (long before SLAPI).
I'll revert in a moment. My concern was that
when addressing rootDSE or cn=subschema, I had
to run thru the first database rules, which is
counterintuitive; wouldn't it be better to
address this specifical case by short-circuiting
to global_acl?
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it