[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: entryDN not allowed in compare

To: ando@sys-net.it
Subject: Re: entryDN not allowed in compare
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 21 Jan 2005 10:08:41 -0800
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <44373.131.175.154.56.1106313316.squirrel@131.175.154.56>
References: <44373.131.175.154.56.1106313316.squirrel@131.175.154.56>

At 05:15 AM 1/21/2005, Pierangelo Masarati wrote:
>[possibly related to ITS#3491]
>
>I note that entryDN is not allowed in compare.

Other than maybe completeness, is there any other reason
why we need to support this?

As entryDN is operational, it fine for it not to be available
for all uses.  It's really only intended for use with the
search operation.

>Of course that's trivial,
>because the assertion is always true if the asserted value is equal to the
>requested DN, but I wonder why not, say, just perform the check in the
>frontend?  All in all what would be really missing is access control,
>which could be performed by calling backend_attribute().  The whole
>compare operation could be performed in the frontend by calling
>backend_attribute().  In some sense, access to entryDN should be equal to
>access to the pseudo-attribute "entry".

I some sense, maybe.  But I rather "entry" grant permission to
the object (entry) as a whole.


>p.
>
>-- 
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it
>
>
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: entryDN not allowed in compare
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: entryDN not allowed in compare
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- entryDN not allowed in compare
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: back-ldap and StartTLS
Next by Date: Re: entryDN not allowed in compare
Index(es):
- Chronological
- Thread