[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: entryDN not allowed in compare



Kurt D. Zeilenga wrote:

I some sense, maybe. But I rather "entry" grant permission to
the object (entry) as a whole.


My consideration is:

access to attrs=entry
   by * read
access to *
   by * none

implies that one can get the DN of all entries and no attributes, including entryDN; but the search is actually returning the entry DN; similarly, something like

access to attrs=entryDN
   by * none
access to *
   by * read

would fail in hiding the DN of an entry. In this sense, we could (should?) use the access to the "entry" pseudo-attribute when checking the access to the "entryDN" attribute. If we give read access to an entry, we are implicitly revealing its "entryDN" value.

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497