[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword not SINGLE-VALUE ?
Hi,
On Saturday 08 November 2003 14:47, Ace Suares wrote:
> How do I find out which attributes have been hardcoded into OpenLDAP ?
> I tried 'uid' and it seems to be a multivalued attribute to, that is not
> defined in one of the schema's.
You may compare the thema for the running server and compare it with the
contents of the schema fiels you included into slad.conf.
(With a miminal set of schema fiels it is easier ;-)
Alternatively you can have a look into the source files
servers/slapd/schema_init.c and servers/slapd/schema_prep.c
> This is something that bothers me - if a user wants to change a password,
> he/she need write access and automagically has read access. Why is there
> not such thing as 'change' access level ?
Do not use the access levels, use privileges. Access levels increase the
rights with each step while privieges explicitely allow/forbid each right.
Wth the privilege system you can give a user write rights with giving it read
rights: by self =w
At least if I unserstand the slapd.access man page correctly ;-)
> I have similar thoughts about adding an entry and then restrict the
> possibility of modifying or deleting it. Why is there no such thing as
> 'add' access level ? How did the set xcsrw access-levels came into being?
> Who designed this limited set, and was there a good reason to do so? Can it
> be changed (probably with RFC ?).
What you here call a "limited set" of access levels are in fact the
privileges ;-)
I think with the access levels/privileges to entries you are right:
Operations on entries that are not pure attribute modifications are Create,
Rename and Delete. It looks like they cannot be allowed/forbidded separately.
Let me suggest the letters that start these operations (in uppercase) as an
extension to the privilege system: C=create, R=rename, D=delete ;-)))
CU
Peter
--
Peter Marschall
eMail: peter@adpm.de