[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: entryDN not allowed in compare
Kurt D. Zeilenga wrote:
I some sense, maybe. But I rather "entry" grant permission to
the object (entry) as a whole.
My consideration is:
access to attrs=entry
by * read
access to *
by * none
implies that one can get the DN of all entries and no attributes,
including entryDN; but the search is actually returning the entry DN;
similarly, something like
access to attrs=entryDN
by * none
access to *
by * read
would fail in hiding the DN of an entry. In this sense, we could
(should?) use the access to the "entry" pseudo-attribute when checking
the access to the "entryDN" attribute. If we give read access to an
entry, we are implicitly revealing its "entryDN" value.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497