[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5705) [enhancement] slapo-constraint could honor "relax" by not checking for constraints

ando@sys-net.it wrote:
> michael@stroeder.com wrote:
>> What's the use-case for this? I'm concerned about overloading the
>> semantics of Relax Rules control far beyond what's written in
>> draft-zeilenga-ldap-relax.
> Well, a user with "manage" privileges on related data could bypass 
> constraints enforced by slapo-constraint(5) by using the "relax" 
> control.

This is a technical description.

>  The rationale is that a user with manage privileges could be 
> able to repair an entry that needs to violate a constraint for good 
> reasons.

Currently I can't imagine a use-case for this particular violation of
constraints. Do you have one? Just an example?

> I decided to overload "relax" rather than defining a specific control 
> because I believe this fits into the spirit of "relax". 

I'm not sure. See, I try to support Relax Rules control in web2ldap. If
the control is in effect the behaviour of the UI has to be heavily
changed. I even considered proposing a that the Relax Rules control
should have different values for specifying what particular constraint
shall be relaxed.

> In fact, the 
> resulting entry would violate a constraint, but would not violate the 
> protocol.

Yes. I'm more concerned about complexity in a UI frontend.

Ciao, Michael.