[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: entryDN not allowed in compare

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: entryDN not allowed in compare
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 22 Jan 2005 16:41:57 +0100
Cc: openldap-devel@OpenLDAP.org
References: <44373.131.175.154.56.1106313316.squirrel@131.175.154.56> <6.2.0.14.0.20050121100416.02a81580@mail.openldap.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Kurt D. Zeilenga wrote:

I some sense, maybe. But I rather "entry" grant permission to the object (entry) as a whole.

My consideration is:

access to attrs=entry
   by * read
access to *
   by * none

implies that one can get the DN of all entries and no attributes, including entryDN; but the search is actually returning the entry DN; similarly, something like

access to attrs=entryDN
   by * none
access to *
   by * read

would fail in hiding the DN of an entry. In this sense, we could (should?) use the access to the "entry" pseudo-attribute when checking the access to the "entryDN" attribute. If we give read access to an entry, we are implicitly revealing its "entryDN" value.

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- entryDN not allowed in compare
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: entryDN not allowed in compare
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: entryDN not allowed in compare
Next by Date: Re: dropping back-ldbm (was: commit: ldap/servers/slapd connection.c)
Index(es):
- Chronological
- Thread