[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: effective rights, was: Determine current access level

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: effective rights, was: Determine current access level
From: Michael StrÃder <michael@stroeder.com>
Date: Tue, 05 Aug 2008 16:15:51 +0200
Cc: openldap-software@openldap.org
In-reply-to: <13653689.5411217944489921.JavaMail.root@mail2.sys-net.it>
References: <13653689.5411217944489921.JavaMail.root@mail2.sys-net.it>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080702 SeaMonkey/1.1.11

Pierangelo Masarati wrote:

----- "Michael StrÃder" <michael@stroeder.com> wrote:
Simon Victor wrote:
What about trying to modify/delete it with the noop control?
that is a good tip, thank you at all.
While using the noop control may be helpful for checking whether an entry could be deleted (or another all-or-nothing operation) it's not helpful to determine which attributes may be modified.
Why not?  Yes, it's going to tell whether a full set of modifications
will either succeed or fail, but nothing prevents you from performing
repeated modifications.

Hmm, given the number of possible attributes in various combinations of object classes a LDAP client testing this with the noop control would be a real resource hog.

 Yet you might fall into the perverse
situation where subsequent modifications are conditioned on attribute
values that previous modifications would have altered.  That's one of
the reasons predicting access privileges is not possible, unless
access to the rules is given.

Well, if in doubt the server should return 'unknown' or if that's not possible 'write'.

Ciao, Michael.

References:
- Re: effective rights, was: Determine current access level
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: effective rights, was: Determine current access level
Next by Date: N-Way replication
Index(es):
- Chronological
- Thread