Re: rename across trees: manageDIT?

[Pierangelo Masarati <ando@sys-net.it>]

Pierangelo Masarati wrote:

> I guess this is something slightly different: I want to defer access 
> checking to the time the backend calls acl_check_modlist(); but in 
> that case, noUserMod attrs don't get checked because accerss checking 
> assumes they were internally generated, while they were actually 
> supplied by the user under the umbrella of manageDIT.  So the answer 
> is no, unless I'm missing something.
>
> One thing I was totally missing is that right now manageDIT can only 
> be used by the rootdn identity.  If this limitation is not going to be 
> removed, the entire idea of manage access privilege is going to be 
> useless, and I was finding it quite interesting, because it gives a 
> lot of freedom in delegating fine grained  administration capabilities.

I have non-root manage access consistently checked for modifies and 
(partially) for adds (in back-bdb, at least; could be confined into 
access checking, though).  I think manage access makes little sense for 
modrdn and delete, but I might have overlooked something.  Should I go 
on and commit it?

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497