[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)





--On Saturday, January 13, 2007 1:47 PM -0800 Howard Chu <hyc@symas.com> wrote:


You seem to be under the impression that changing the name of a piece of
data changes the nature of the data. If you have an attribute that
general users should not be able to see, then they also should not be
able to see the dynamic group derived from that attribute. Opening it up
in any way is only going to open you to the same liability you claim to
want to avoid.

Please explain to me how they would see dynamic groups I haven't given them access to via acl control.


This:

access to dn.subtree="cn=people,dc=stanford,dc=edu" attrs=privgroup
	by USER compare

Is much worse than

access to dn.exact="cn=usergroup,cn=groups,dc=stanford,dc=edu"
	by USER compare



I don't in any way intend to let people see groups they don't have access to *but* if I have to use the user credentials to create groups, that's essentially the position I'm forced into unless I want to make thousands and thousands of ACL's like:


access to dn.subtree="cn=people,dc=stanford,dc=edu" attrs=privgroup val.regex="user-group-a"
by * compare



Which is something I definitely want to avoid.

--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html