[Date Prev][Date Next]
Re: slapo-allowed: allowedChildClasses and allowedChildClassesEffective (was: Seg faults with 2.4.22)
> Redirected this to openldap-devel...
> email@example.com wrote:
>> slapo-allowed was modified between 2.4.21 and 2.4.22; support for
>> allowedChildClasses and allowedChildClassesEffective was added.
> The semantics you've implemented seems to be incompatible with my
> implementation in web2ldap which works correctly with MS AD. I do not
> claim to
> know the *exact* semantics of these attributes though.
> web2ldap only uses the attribute 'allowedChildClasses'.
> In the object class select form web2ldap now only shows an empty list of
> STRUCTURAL object classes to be usable for a new entry. AUXILIARY object
> classes are shown. At first glance it seems STRUCTURAL object classes are
> returned by slapo-allowed in the search result at all.
Since the main purpose of that overlay is to mimic AD, I think your
observations make sense. I inferred the semantics of those attributes
from the description I found in the links I was pointed to by Andrew
Bartlett. My interpretation is that allowedChildClasses should list the
objectClasses that can be added to a given entry; in my interpretation,
these are all AUXILIARY objectClasses known to the DSA. The
allowedChildClassesEffective are those objectClasses the identity is
allowed to add by ACLs, and whose required attrs the identity is allowed
to add by ACLs. Unless I made any coding mistake...