[Fedora-directory-devel] Attribute to determine allowed write attributes?
Andrew Bartlett
abartlet at samba.org
Thu Nov 2 04:33:36 UTC 2006
On Wed, 2006-11-01 at 18:54 -0700, Richard Megginson wrote:
> Andrew Bartlett wrote:
> > On Wed, 2006-11-01 at 07:05 -0700, Richard Megginson wrote:
> >
> >> Andrew Bartlett wrote:
> >>
> >>> On Tue, 2006-10-31 at 21:05 -0700, David Boreham wrote:
> >>>
> >>>
> >>>> Andrew Bartlett wrote:
> >>>>
> >>>>
> >>>>
> >>>>> Does anybody have any pointers to an existing feature request like this,
> >>>>> or should I file one in Bugzilla?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> This is what is implemented :
> >>>>
> >>>> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1216899
> >>>>
> >>>>
> >>> That has:
> >>>
> >>>
> >>>
> >>>> Information is not given for attributes in an entry that do not have a
> >>>> value; for example, if the userPassword value is removed, then a
> >>>> future effective rights search on the entry above would not return any
> >>>> effective rights for userPassword, even though self-write and
> >>>> self-delete rights could be allowed. Likewise, if the street attribute
> >>>> were added with read, compare, and search rights, then street: rsc
> >>>> would appear in the attributeLevelRights results.
> >>>>
> >>>>
> >>> I need information on unknown attributes, so that MMC can show them as
> >>> valid, writable fields (not greyed out). My preferred format is a list
> >>> of writable fields, as permitted by the current schema for that entry.
> >>>
> >>>
> >> This could be useful in any general purpose GUI app, to have the ability
> >> to perform one query and get back a list of
> >> 1) regular attributes available according to the schema
> >> 2) operational attributes - writable vs. read-only
> >> 3) virtual attributes - writable vs. read-only
> >>
> >> I would like to support the openldap "+" special attribute which
> >> retrieves all operational attributes, and I would also like to support
> >> the Sun DS real and virtual attrs controls.
> >>
> >> Andrew, I think it would be beneficial to me if you could post an
> >> example ldapsearch and an example return entry in LDIF.
> >>
> >
> > Using Samba's ldbsearch:
> >
> > bin/ldbsearch -H ldap://win2k3dc.win2k3.abartlet.net cn=administrator
> > allowedAttributes allowedAttributesEffective allowedClasses
> > AllowedClassesEffective -Uadministrator%penguin
> >
> What do allowedAttributes and allowedAttributesEffective mean? Are they
> the writable attributes as allowed by schema and access control? What
> does the "Effective" mean?
The 'effective' means after ACLs are considered. allowedAttributes is
just what the schema will permit.
> What are allowedClasses and AllowedClassesEffective?
I understand these are the same, but for subclasses. I think I need to
try this on a container object to have this show up.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20061102/2d02802a/attachment.sig>
More information about the Fedora-directory-devel
mailing list