[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6584) dynlist group expansion doesn't use internal serach

To: openldap-its@OpenLDAP.org
Subject: (ITS#6584) dynlist group expansion doesn't use internal serach
From: quanah@zimbra.com
Date: Wed, 23 Jun 2010 21:53:04 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Quanah Gibson-Mount
Version: 2.4.22
OS: NA
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.45.108)


When dynlist expands the group membership from a URI statement, it applies the
bind identity to the search to expand it.  This does not conform to the dyngroup
behavior as was requested.

Instead, dynlist should allow expansion by doing an internal search on the
specified URI value, so that the binding identity is not required to have
"compare" access on the attributes making up the query.  This was implemented in
dyngroup for security purposes, and those reasons still apply.

--Quanah

Prev by Date: (ITS#6583) API C : freeze of the function "ldap_modify_ext_s"
Next by Date: Re: (ITS#6584) dynlist group expansion doesn't use internal serach
Index(es):
- Chronological
- Thread