[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforcing attribute ACL on add operations

Howard Chu wrote:
Kurt Zeilenga wrote:
On Sep 27, 2008, at 8:59 AM, Emmanuel Dreyfus wrote:


Right now, slapd ignore attribute ACL when performing an add

I note that this is the expected behavior, been so for many, many years.

Yes, but it never really made much sense - it means you can be forbidden from modifying an existing record to contain certain privileged data, but not forbidden from creating records with privileged data. It makes sense to me that your ability to create particular data values should not depend on whether you're creating it for the very first time, or some subsequent time.

(Coming at it from the opposite direction, Delete of course requires you to permit the Delete even if certain attributes are read-only; since every entry contains read-only operational attributes, deletes would be impossible without this provision.)

Well, the user doesn't add operational attrs either, so it is perfectly symmetric that read-only attributes are automatically destroyed by users with "delete" permission on "entry".

In any case, I note that fixing this issue broke test006 (at least).


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it