[Date Prev][Date Next]
Re: rename across trees: manageDIT?
Pierangelo Masarati wrote:
I guess this is something slightly different: I want to defer access
checking to the time the backend calls acl_check_modlist(); but in
that case, noUserMod attrs don't get checked because accerss checking
assumes they were internally generated, while they were actually
supplied by the user under the umbrella of manageDIT. So the answer
is no, unless I'm missing something.
One thing I was totally missing is that right now manageDIT can only
be used by the rootdn identity. If this limitation is not going to be
removed, the entire idea of manage access privilege is going to be
useless, and I was finding it quite interesting, because it gives a
lot of freedom in delegating fine grained administration capabilities.
I have non-root manage access consistently checked for modifies and
(partially) for adds (in back-bdb, at least; could be confined into
access checking, though). I think manage access makes little sense for
modrdn and delete, but I might have overlooked something. Should I go
on and commit it?
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497