[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

Hallvard B Furuseth wrote:

What if there is no attribute to delete?

What you say is consistent with current behaviour, but current
behaviour does not look right to me:

 access to attrs=foo val=bar by *    read
 access to *                 by self write
                             by *    read

does not prevent replace:foo if the entry contains foo:bar.

It's documented, though.  But if it is the intended behaviour,
I think slapd startup should at least try to warn about it.
I'll file an ITS when I know what the error is:-)

I think iterating on all existing values when doing a full delete or a replace would fix this. Currently, write access to full deletion is checked without passing the value.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497