[Date Prev][Date Next]
Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
> At 06:12 AM 4/20/2004, email@example.com wrote:
>>> I don't think it is broke, but intended behavior:
>>> If their are global acls, they apply to all databases
>>> after any db acls. If the db has no acls, global acls
>>> are used.
>>> If the target is not within any database, acls of
>>> first database (then global acls) apply.
>>> It's been this way for many years (long before SLAPI).
>>I'll revert in a moment. My concern was that
>>when addressing rootDSE or cn=subschema, I had
>>to run thru the first database rules, which is
>>counterintuitive; wouldn't it be better to
>>address this specifical case by short-circuiting
> Then they wouldn't be global acls. They'd be
> acls which applied to objects outside of all
> databases. While it might make sense to have
> a set of ACLs which applied to this set of
> objects, it is different set concept than
> (Note that global ACLs were invented before there
> was a root DSE or cn=subschema.)
- DN is within namingContext?
apply namingContextACL, then globalACL
- DN is not within namingContext?
This (to me) would sound more intuitive:
go from local to global; stay global otherwise.