[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

Kurt D. Zeilenga writes:
> In your patch, it appears that modify/replace only requires
> add.  However, as modify/replace deletes existing values,
> it should require delete as well.

What if there is no attribute to delete?

What you say is consistent with current behaviour, but current
behaviour does not look right to me:

  access to attrs=foo val=bar by *    read
  access to *                 by self write
                              by *    read

does not prevent replace:foo if the entry contains foo:bar.

It's documented, though.  But if it is the intended behaviour,
I think slapd startup should at least try to warn about it.
I'll file an ITS when I know what the error is:-)