[Date Prev][Date Next]
Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)
Kurt D. Zeilenga wrote:
At 06:57 PM 4/12/2005, Howard Chu wrote:With the current framework, we can have a global rootdn at no cost
because of the frontendDB database (maybe it's already possible by just
defining "rootdn" outside any database directive), so if one has any
unrestricted global access needs it can be easily solved.
I'm fine with doing away with the "first DB ACLS are used ifThe one difference is that with the "first DB" behavior, a user bound as the rootDN of the first DB would automatically have unrestricted access to the rootDSE etc. (Not that there's anything in there for which root access is particularly important.) Removing this feature would require explicit global ACLs for those cases, as the rootDN of the first DB would no longer be "special" in the context of the rootDSE or schema subentry.
no global ACLs" feature.
Actually, this may hint at why we have the firstDB acls
apply to global items... it's more about the firstDB rootdn.
I guess I would not be opposed to adding a global rootdn.
I might even be not opposed to removing DB rootdns (e.g.,
only having a global rootdn). But then, I've always thought
the rootdn to be evil, though a sometimes necessary evil.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497