[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays dyngroup.c



Russ Allbery wrote:
So, that behavior of letting the dynlist or dyngroup overlay do a query
that the user querying the group tree is not themselves permitted to make
is exactly what we need, since we can then use the more granular access
control possible on the separate group dns to implement control over
entitlement visibility that's otherwise annoying to represent.

The dgAuthz/dgPolicy stuff that Ando proposed doesn't preclude what you want to do. I just am not convinced yet that dgAuthz is necessary. The code I just committed for dynlist.c leaves that out for now, we can add it later if the consensus is that it's useful.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/