[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4730) Overlay that generates operational attributes to support GUI interaction

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/pierangelo-masarati-2006-11-03-allowed.c
Submission from: (NULL) (
Submitted by: ando

This overlay provides simple support for allowedAttributes and
allowedAttributesEffective, a (somewhat broken) AD feature that is intended to
help GUIs into determining, based on the current objectClass values of an
object, what attributes would comply with the schema (without distinction
between "allowed" and "required"), by listing them in "allowedAttributes", and,
furthermore, by providing a hint to what of those values could be effectively
added by the current connection, by listing them in
"allowedAttributesEffective".  This is broken since it doesn't consider the
possibility of value-dependent ACLs, so it should really be considered just a
hint, while the "allowedAttributes" could really be computed starting from the
schema definition, which remains the recommended way to solve the problem

So this overlay should really be considered only food for thought as a starting
base for a tighter integration of OpenLDAP into Samba4.

There's minimal support for "allowedChildClasses" and
"allowedChildClassesEffective", whose definition is absolutely obscure to me, as
I believe the only classes that can be added to an existing object are all the
AUXILIARY ones, while considering what are effectively allowed implies getting
into value-dependent ACLs.

Some discussion can be found here (follow the thread)
while portions of the schema definition has been taken from here