Quanah Gibson-Mount wrote: > --On Tuesday, November 05, 2013 5:42 PM +0100 Hans Freitag <zem@fnordpol.de> > wrote: > >> Not to use an evil client is no option to me. > > Don't give the user manage privileges... Doesn't that affect rather the use of Relax Rules control (formerly known as Manage DIT control)? I think the (ab)use of Manage DSA IT control to circumvent constraint(s) is somewhat historic because at that time in the past [1] was not available yet. This resulted in a control-against-constraint mess. It should be consequently replaced by applying Relax Rules control including properly checking the manage privilege. BTW: Still the OID of the Relax Rules control contains this experimental OID *.666.* cruft. Maybe it's the time to proceed with the draft and define a proper OID. How about discussing this at LDAPcon in Paris? (might also fit in my presentation...) Ciao, Michael. [1] http://tools.ietf.org/html/draft-zeilenga-ldap-relax
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature