[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 05 Apr 2005 09:21:48 +0200
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Howard Chu <hyc@symas.com>, openldap-devel@OpenLDAP.org
In-reply-to: <hbf.20050404vrcz@bombur.uio.no>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com> <424F29BC.3070803@sys-net.it> <424F3B3C.1010703@symas.com> <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org> <424F907B.7010609@sys-net.it> <6.2.1.2.0.20050403103607.08fb1c80@mail.openldap.org> <42515D2E.7030308@sys-net.it> <6.2.1.2.0.20050404085147.02fea068@mail.openldap.org> <42516552.8050105@sys-net.it> <6.2.1.2.0.20050404092145.026fd9e0@mail.openldap.org> <3610.151.29.219.164.1112641922.squirrel@151.29.219.164> <6.2.1.2.0.20050404122957.02b0e6c8@mail.openldap.org> <hbf.20050404vrcz@bombur.uio.no>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Hallvard B Furuseth wrote:

What if there is no attribute to delete?

What you say is consistent with current behaviour, but current
behaviour does not look right to me:

 access to attrs=foo val=bar by *    read
 access to *                 by self write
                             by *    read

does not prevent replace:foo if the entry contains foo:bar.

It's documented, though.  But if it is the intended behaviour,
I think slapd startup should at least try to warn about it.
I'll file an ITS when I know what the error is:-)

I think iterating on all existing values when doing a full delete or a replace would fix this. Currently, write access to full deletion is checked without passing the value.

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: More granular privileges in ACLs (now ITS#3631)
Next by Date: ppolicy and Access Control to operational Attributes
Index(es):
- Chronological
- Thread