[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)

> I don't think it is broke, but intended behavior:
> If their are global acls, they apply to all databases
> after any db acls.  If the db has no acls, global acls
> are used.
> If the target is not within any database, acls of
> first database (then global acls) apply.
> It's been this way for many years (long before SLAPI).

I'll revert in a moment.  My concern was that
when addressing rootDSE or cn=subschema, I had
to run thru the first database rules, which is
counterintuitive; wouldn't it be better to
address this specifical case by short-circuiting
to global_acl?


Pierangelo Masarati