[Date Prev][Date Next]
Re: ACIs and OL 2.3
--On Wednesday, February 14, 2007 12:24 AM +0100 Pierangelo Masarati
Alex Samad wrote:
On Tue, Feb 13, 2007 at 06:50:02PM +0100, Pierangelo Masarati wrote:
Turbo Fredriksson wrote:
I'm not quite sure how it is SUPPOSED to work, but from
my view, it's broken - ACI's don't work with re23 which is a
stable release... ? Using ACI's, I have to access to create
objects - that's what I see any way...
Well, nobody knows how it's supposed to work, since the expected
behavior is undocumented.
Is there any doco on this, I don't know anything about it, could your
provide a pointer to some info.
Browse <http://www.openldap.org/faq/data/cache/1284.html> in general for
OpenLDA access control customization capabilities, and
<http://www.openldap.org/faq/data/cache/758.html> for more details about
ACIs. Note, that document is pretty old; something changed across time
(which caused this thread, BTW). ACIs need to be documented; our
reluctance also stems from the consideration that good documentation
would encourage rather than discourage their use... anyway, volunteers
I am presume this is a way of apply acl's to objects ?
Yes (experimental, deprecated and discouraged).
I think this is the very important part here -- deprecated and discouraged.
I'd argue that long term, ACI support should be removed entirely (perhaps
for 2.5?). The entire concept of ACI's is broken.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html