[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL control with break



On 25/5/2012 6:44 ÎÎ, Philip Guenther wrote:

Because that's a popular style of ACL processing logic to use for those
attributes.  As you note, this is done in "most cases", i.e., not all, so
obviously there nothing in the software that requires it.

I'm not sure why the ACLs for entry and children that you tend to see use
that style, but if I recall correctly, they weren't part of the original
ACL design but rather were added in OpenLDAP 2.2 (or maybe 2.3?), so this
may be the result of ACL sets being retrofitted during upgrades.


Thank you Philip, I hope someone can provide some more information on why "that's a popular style of ACL processing logic to use for those
attributes." (i.e. entry and children pseudo-attrs).

I am wondering: if there is (or there was) nothing in the software that requires (required) it, why such a style has developed?

Yes, though you should review any rules without an attrs= clause carefully to check whether they're setting the rights for the children/entry pseudo-attributes unexpectedly.

You mean that if we use a <what> statement without an "attrs=" clause, then it affects children and entry pseudo-attributes as well? And what if there is a filter specified too (still without an "attrs=" clause)?

I'm not sure what you mean by "determined implicitly" here, so I can't answer that.

What I meant was exactly that (see above): if e.g. we use a <what> statement without an "attrs=" clause, then it affects children and entry pseudo-attributes as well?

Thanks,
Nick