[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)

--On Saturday, January 13, 2007 1:36 PM -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:

--On Saturday, January 13, 2007 11:03 AM +0100 Pierangelo Masarati
<ando@sys-net.it> wrote:

Using the rootdn to generate the list, and
then check access to the list itself may not be correct, because the
dynamic list could become a means to circumvent access control to the
actual data; think of a case where the effective user has no privileges
on the actual data, but has compare, or even read access to the
dynamically generated list.  Then, if the list were generated as rootdn,
the user would be able to compare, or even read, on data that is a
derivative of otherwise inaccessible data.  I would consider this a
violation of data integrity.

Oh, and much thanks for the patch. :)  I'll give it a try here soon. ;)


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html