[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)

> At 06:12 AM 4/20/2004, ando@sys-net.it wrote:
>>> I don't think it is broke, but intended behavior:
>>> If their are global acls, they apply to all databases
>>> after any db acls.  If the db has no acls, global acls
>>> are used.
>>> If the target is not within any database, acls of
>>> first database (then global acls) apply.
>>> It's been this way for many years (long before SLAPI).
>>I'll revert in a moment.  My concern was that
>>when addressing rootDSE or cn=subschema, I had
>>to run thru the first database rules, which is
>>counterintuitive; wouldn't it be better to
>>address this specifical case by short-circuiting
>>to global_acl?
> Then they wouldn't be global acls.  They'd be
> acls which applied to objects outside of all
> databases.  While it might make sense to have
> a set of ACLs which applied to this set of
> objects, it is different set concept than
> intended.
> (Note that global ACLs were invented before there
> was a root DSE or cn=subschema.)

I mean:

- DN is within namingContext?
  apply namingContextACL, then globalACL

- DN is not within namingContext?
  apply globalACL

This (to me) would sound more intuitive:
go from local to global; stay global otherwise.


Pierangelo Masarati