[Date Prev][Date Next]
Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Kurt D. Zeilenga writes:
> In your patch, it appears that modify/replace only requires
> add. However, as modify/replace deletes existing values,
> it should require delete as well.
What if there is no attribute to delete?
What you say is consistent with current behaviour, but current
behaviour does not look right to me:
access to attrs=foo val=bar by * read
access to * by self write
by * read
does not prevent replace:foo if the entry contains foo:bar.
It's documented, though. But if it is the intended behaviour,
I think slapd startup should at least try to warn about it.
I'll file an ITS when I know what the error is:-)