Re: [Fedora-directory-devel] Attribute to determine allowed write attributes?

[Pierangelo Masarati <ando sys-net it>]

Andrew Bartlett wrote:
> On Fri, 2006-11-03 at 01:46 +0100, Pierangelo Masarati wrote:
>   
> > Andrew Bartlett wrote:
> >     
> > > Sorry, this seems a bit recursive.  I'm lost.  
> > >   
> > >       
> > In fact, it is.  The point is that what you're asking for may not comply 
> > with the ACL model of most DSA implementations, which usually is a 
> > desirable model for a number of reasons.  What you need is a 
> > "cooperative" DSA administrator that agrees to use only a subset of the 
> > ACL semantics so that their effect can be computed a priori, without any 
> > knowledge of the values that are/will be stored in the attributes.  
> > Under this assumption, implementing the feature you desire should be 
> > straightforward.
> >     
>
> Or you simply ignore checks for value when evaluating the ACL, and
> declare that the attribute may be written to if there is any possible
> valid value.
>
> That should be enough for GUI writers to use for simple user-feedback,
> with a more detailed error reported to a user on the actual modify
> failure.
>   
I've just written a toy module for OpenLDAP (HEAD; haven't checked with 
earlier versions) that returns the allowedAttributes and 
allowedAttributesEffective based on the assumption that ACLs do not 
depend on attribute values.  You can download it from 
<http://www.sys-net.it/~ando/Download/allowed.c>.  Its transposition to 
FDS __should__ be straightforward.  I plan to submit it as a contrib to 
OpenLDAP.  BTW, can you point me to the schema definition of 
allowedAttributes and allowedAttributesEffective?

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo masarati sys-net it
------------------------------------------