[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issue with default ACL selection and back-config (revitalizing ITS#3100?...)



Kurt D. Zeilenga wrote:

At 06:57 PM 4/12/2005, Howard Chu wrote:


I'm fine with doing away with the "first DB ACLS are used if
no global ACLs" feature.


The one difference is that with the "first DB" behavior, a user bound as the rootDN of the first DB would automatically have unrestricted access to the rootDSE etc. (Not that there's anything in there for which root access is particularly important.) Removing this feature would require explicit global ACLs for those cases, as the rootDN of the first DB would no longer be "special" in the context of the rootDSE or schema subentry.


Actually, this may hint at why we have the firstDB acls apply to global items... it's more about the firstDB rootdn.

I guess I would not be opposed to adding a global rootdn.
I might even be not opposed to removing DB rootdns (e.g.,
only having a global rootdn). But then, I've always thought
the rootdn to be evil, though a sometimes necessary evil.


With the current framework, we can have a global rootdn at no cost because of the frontendDB database (maybe it's already possible by just defining "rootdn" outside any database directive), so if one has any unrestricted global access needs it can be easily solved.

p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497