[Date Prev][Date Next]
Re: commit: ldap/servers/slapd/overlays dyngroup.c
Russ Allbery wrote:
The dgAuthz/dgPolicy stuff that Ando proposed doesn't preclude what you want to
do. I just am not convinced yet that dgAuthz is necessary. The code I just
committed for dynlist.c leaves that out for now, we can add it later if the
consensus is that it's useful.
So, that behavior of letting the dynlist or dyngroup overlay do a query
that the user querying the group tree is not themselves permitted to make
is exactly what we need, since we can then use the more granular access
control possible on the separate group dns to implement control over
entitlement visibility that's otherwise annoying to represent.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/