[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Consumer ACLs

To: openldap-technical@openldap.org
Subject: Re: Consumer ACLs
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 7 Jan 2010 14:17:06 +0100
Cc: Jaap Winius <jwinius@umrk.nl>
In-reply-to: <20100106004512.k0qpjxqoq2w4kkkc@www.umrk.nl>
References: <20100106004512.k0qpjxqoq2w4kkkc@www.umrk.nl>
User-agent: KMail/1.12.2 (Linux/2.6.31.6-desktop-1mnb; KDE/4.3.2; x86_64; ; )

On Wednesday, 6 January 2010 00:45:12 Jaap Winius wrote:
> Hi all,
> 
> A question regarding ACLs on OpenLDAP consumer servers. If the ACLs on
> the provider give clients write access to some attributes, such as
> loginShell or userPassword, shouldn't the ACLs on the consumers do the
> same?

No.

> I'm not sure about this, since consumer databases are always
> read-only, but it seems to me that the clients would otherwise have no
> way of knowing that changing certain attributes was possible (via the
> updateref option or the chain overlay).

ACLs won't be evaluated on the slave in either case, the referral will occur 
first.

(How do clients "know" that certain attributes can be changed? In practice, 
they don't, they try to make change, and if they get a referral, they may or 
may not try and chase the referral).

Regards,
Buchan

References:
- Consumer ACLs
  - From: Jaap Winius <jwinius@umrk.nl>

Prev by Date: Re: Password Policy setting
Next by Date: Re: Error configuring monitor database
Index(es):
- Chronological
- Thread