On Thu, 2006-11-02 at 16:07 +0100, Pierangelo Masarati wrote: > Andrew Bartlett wrote: > > Using Samba's ldbsearch: > > > > bin/ldbsearch -H ldap://win2k3dc.win2k3.abartlet.net cn=administrator > > allowedAttributes allowedAttributesEffective allowedClasses > > AllowedClassesEffective -Uadministrator%penguin > > > What's the -U for? My guess is -U<user>%<cred>, is it correct? That's the samba syntax for username and password, for a SASL bind. > > allowedAttributesEffective: adminDisplayName > > > What identity does the "Effective" refer to? That of the client > performing the request? Yes, the access that would be given to this connection, if it were to try write access to these attributes. > How would this deal with ACL that depend on the > value of the data? How would this deal with ACLs that do not just > depend on the object and on the client's identity? It should return the attributes that may be written to. Remember, the purpose is to allow a GUI client to grey out read-only fields, and reduce user frustration. > Moreover, I believe this type of operation should be itself protected by > ACLs, i.e. implementations should be able to restrict identities that > can get this info. This may well be. For my purposes, all users with access to write should be able to know what they may write to. Users with read only access would get a empty list, and the total list of allowed attributes can be calculated by schema introspection. > With an ACL model that accounts for attribute values > (like any serious implementation should provide), the list itself could > be incomplete if access to specific values of allowedAttributes or > allowedAttributesEffective is itself restricted. Sorry, this seems a bit recursive. I'm lost. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
