[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3



Quoting Pierangelo Masarati <ando@sys-net.it>:

>> Creating a simple object like this:
>> ----- s n i p -----
>> dn: o=phpQLAdmin_Branch_Test,c=se
>> objectclass: top
>> objectclass: organization
>> o: phpQLAdmin_Branch_Test
>> openldapaci: 0#entry#grant;w,r,s,c;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se
>> ----- s n i p -----
>>
>> Adding the line:
>> ----- s n i p -----
>> openldapaci: 1#entry#grant;w,r,s,c;[entry]#access-id#uid=turbo,ou=people,o=fredriksson,c=se
>> ----- s n i p -----
>>
>> Will only give me:
>> ----- s n i p -----
>> ldap_add: Invalid syntax (21)
>>         additional info: openldapaci: value #1 invalid per syntax
>> ----- s n i p -----
>
> By quickly reading the code, it seems that the effect you desire is
> obtained by setting no attribute type, or by using "entry" instead of
> "[entry]".

Neither of this work. The first with 'no write access to entry' and the
second with 'openldapaci: value #0 invalid per syntax'.

----- s n i p -----
dn: o=phpQLAdmin_Branch_Test,c=se
objectclass: top
objectclass: organization
o: phpQLAdmin_Branch_Test
openldapaci: 0#entry#grant;w,r,s,c;entry#public#
openldapaci: 1#entry#grant;w,r,s,c;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se
----- s n i p -----

> I suggest you test HEAD code to see if it fits your needs; if it does,
> you could enucleate a patch that backports desired features to re23,
> and post it to the ITS.  Otherwise, you should file an ITS, requesting
> backporting of the desired features that are in HEAD along with their
> fix (if it's buggy) or enhancement (if discussion about what you
> consider an enhancement gains consensus).

Shouldn't the '[all]' should cover all this? If I get/have ALL
access on the object, shouldn't that include entry and all it's
attributes!?

I'm not quite sure how it is SUPPOSED to work, but from
my view, it's broken - ACI's don't work with re23 which is a
stable release... ? Using ACI's, I have to access to create
objects - that's what I see any way...

And the little documentation there is on the subject doesn't tell
me that I'm using it wrongly (I can live with the changes to
'one attribute per openldapaci - quite easy to programatically
change).


I can have a look at HEAD, but...