Re: rename across trees: manageDIT?

[Pierangelo Masarati <ando@sys-net.it>]

Luke Howard wrote:

> > One issue I'm finding is that when modifications get to access checking, 
> > noUserMod attrs are mixed with the others.  So I'm considering the 
> > opportunity to extend the Modifications structure to host a managing 
> > flag that's on when the attribute is being managed.  This allows to 
> > decide whether a modification should be checked for access.
> >    
>
> Does sml_flags |= SLAP_MOD_INTERNAL not work?
>  
I guess this is something slightly different: I want to defer access 
checking to the time the backend calls acl_check_modlist(); but in that 
case, noUserMod attrs don't get checked because accerss checking assumes 
they were internally generated, while they were actually supplied by the 
user under the umbrella of manageDIT.  So the answer is no, unless I'm 
missing something.

One thing I was totally missing is that right now manageDIT can only be 
used by the rootdn identity.  If this limitation is not going to be 
removed, the entire idea of manage access privilege is going to be 
useless, and I was finding it quite interesting, because it gives a lot 
of freedom in delegating fine grained  administration capabilities.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497