[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: entryDN not allowed in compare

At 05:15 AM 1/21/2005, Pierangelo Masarati wrote:
>[possibly related to ITS#3491]
>I note that entryDN is not allowed in compare.

Other than maybe completeness, is there any other reason
why we need to support this?

As entryDN is operational, it fine for it not to be available
for all uses.  It's really only intended for use with the
search operation.

>Of course that's trivial,
>because the assertion is always true if the asserted value is equal to the
>requested DN, but I wonder why not, say, just perform the check in the
>frontend?  All in all what would be really missing is access control,
>which could be performed by calling backend_attribute().  The whole
>compare operation could be performed in the frontend by calling
>backend_attribute().  In some sense, access to entryDN should be equal to
>access to the pseudo-attribute "entry".

I some sense, maybe.  But I rather "entry" grant permission to
the object (entry) as a whole.

>Pierangelo Masarati
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497