[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/doc/man/man5 slapd.access.5

To: ando@sys-net.it
Subject: Re: commit: ldap/doc/man/man5 slapd.access.5
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 5 Jul 2005 13:33:48 +0200
Cc: "OpenLDAP Commit" <openldap-commit2devel@OpenLDAP.org>
In-reply-to: <41292.131.175.154.56.1120560840.squirrel@131.175.154.56>
References: <200507051002.j65A2f1A029830@cantor.openldap.org> <hbf.20050705szzq@bombur.uio.no> <41292.131.175.154.56.1120560840.squirrel@131.175.154.56>

Pierangelo Masarati writes:
> - a DN-valued attr is used; then <style> can be "exact"/"base", or
> "subtree" or "children" or "one" and so on.  In all of these cases a
> matching rule can be specified.  Maybe this is useless, because I'm afraid
> that (at present) only distinguishedNameMatch can be used.  I've
> introduced this for symmetry, although for DN-valued attrs value_match()
> is not actually invoked, but a string comparison on the normalized
> relevant portion of the DN is used.

How do you imagine it would work to use both e.g. "subtree" and a
matching rule?  In effect base/subtree/children etc *is* the matching
rule.  (And one which I'd really like to have as a real matching rule to
be used in extensibleMatch filters, BTW:-)

> In fact, one thing that was happening before was that this ACL was
> usable with those DN-valued attrs that do not define an EQUALITY rule,
> which sounds like an inconsistency.

Yup, it treats DNs specially by always using a scope, and the
default, "base", is in practice distinguishedNameMatch.

-- 
Hallvard

References:
- Re: commit: ldap/doc/man/man5 slapd.access.5
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: commit: ldap/doc/man/man5 slapd.access.5
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: commit: ldap/doc/man/man5 slapd.access.5
Next by Date: liberalily in schema parsing
Index(es):
- Chronological
- Thread