[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword not SINGLE-VALUE ?


On Saturday 08 November 2003 14:47, Ace Suares wrote:
> How do I find out which attributes have been hardcoded into OpenLDAP ?
> I tried 'uid' and it seems to be a multivalued attribute to, that is not
> defined in one of the schema's.

You may compare the thema for the running server and compare it with the 
contents of the schema fiels you included into slad.conf.
(With a miminal set of schema fiels it is easier ;-)

Alternatively you can have a look into the source files
 servers/slapd/schema_init.c and servers/slapd/schema_prep.c

> This is something that bothers me - if a user wants to change a password,
> he/she need write access and automagically has read access. Why is there
> not such thing as 'change' access level ?

Do not use the access levels, use privileges. Access levels  increase the 
rights with each step while privieges explicitely allow/forbid each right.
Wth the privilege system you can give a user write rights with giving it read 
rights:  by self  =w 
At least if I unserstand the slapd.access man page correctly ;-)

> I have similar thoughts about adding an entry and then restrict the
> possibility of modifying or deleting it. Why is there no such thing as
> 'add' access level ? How did the set xcsrw access-levels came into being?
> Who designed this limited set, and was there a good reason to do so? Can it
> be changed (probably with RFC ?).

What you here call a "limited set" of access levels  are in fact the 
privileges ;-)

I think with the access levels/privileges to entries you are right:
Operations on entries that are not pure attribute modifications are Create, 
Rename and Delete. It looks like they cannot be allowed/forbidded separately.

Let me suggest the letters that start these operations (in uppercase)  as an 
extension to the privilege system: C=create, R=rename, D=delete  ;-)))


Peter Marschall
eMail: peter@adpm.de