[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)



Quanah Gibson-Mount wrote:


--On Tuesday, January 16, 2007 11:36 AM -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:

I will try it, but it is not of help.

And this does work:

ldapcompare -Q -h ldap-dev1 "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" "member:suRegID=ff44e0a6e76a11d1a28c2436000baa77,cn=people,dc=stanford,dc=edu"

TRUE


so that fixes half my problem. ;)

Great. For the listing, honestly I remain on my positions. A possible exception, which would probably solve your problem and at the same time not hinder what access is being applied to data is to design a new access privilege that means something like "disclose to internal operations". This would need to be explicitly added to data that one wants to be accessible by internal operations but not directly by regular ops, like in your case. What I don't like of this access privilege is that it's too generic: it doesn't allow to tell what an internal operation would do with that data. For example, an internal operation may want to modify it, or give it away or so. Note that I have no idea (nor intention: I still remember how much I had to sweat to add "add" and "zap" privileges!) of how to implement it, right now.


p.