Re: slapo-dynlist desgin question(s)

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Saturday, January 13, 2007 1:36 PM -0800 Quanah Gibson-Mount 
<quanah@stanford.edu> wrote:

> --On Saturday, January 13, 2007 11:03 AM +0100 Pierangelo Masarati
> <ando@sys-net.it> wrote:
>
> > Using the rootdn to generate the list, and
> > then check access to the list itself may not be correct, because the
> > dynamic list could become a means to circumvent access control to the
> > actual data; think of a case where the effective user has no privileges
> > on the actual data, but has compare, or even read access to the
> > dynamically generated list.  Then, if the list were generated as rootdn,
> > the user would be able to compare, or even read, on data that is a
> > derivative of otherwise inaccessible data.  I would consider this a
> > violation of data integrity.


Oh, and much thanks for the patch. :)  I'll give it a try here soon. ;)

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html