[Fedora-directory-devel] Attribute to determine allowed write attributes?
Pierangelo Masarati
ando at sys-net.it
Fri Nov 3 02:42:35 UTC 2006
Andrew Bartlett wrote:
> On Fri, 2006-11-03 at 01:46 +0100, Pierangelo Masarati wrote:
>
>> Andrew Bartlett wrote:
>>
>>> Sorry, this seems a bit recursive. I'm lost.
>>>
>>>
>> In fact, it is. The point is that what you're asking for may not comply
>> with the ACL model of most DSA implementations, which usually is a
>> desirable model for a number of reasons. What you need is a
>> "cooperative" DSA administrator that agrees to use only a subset of the
>> ACL semantics so that their effect can be computed a priori, without any
>> knowledge of the values that are/will be stored in the attributes.
>> Under this assumption, implementing the feature you desire should be
>> straightforward.
>>
>
> Or you simply ignore checks for value when evaluating the ACL, and
> declare that the attribute may be written to if there is any possible
> valid value.
>
> That should be enough for GUI writers to use for simple user-feedback,
> with a more detailed error reported to a user on the actual modify
> failure.
>
I've just written a toy module for OpenLDAP (HEAD; haven't checked with
earlier versions) that returns the allowedAttributes and
allowedAttributesEffective based on the assumption that ACLs do not
depend on attribute values. You can download it from
<http://www.sys-net.it/~ando/Download/allowed.c>. Its transposition to
FDS __should__ be straightforward. I plan to submit it as a contrib to
OpenLDAP. BTW, can you point me to the schema definition of
allowedAttributes and allowedAttributesEffective?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati at sys-net.it
------------------------------------------
More information about the Fedora-directory-devel
mailing list