Andrew Bartlett wrote:
On Fri, 2006-11-03 at 01:46 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
Sorry, this seems a bit recursive. I'm lost.
In fact, it is. The point is that what you're asking for may not comply
with the ACL model of most DSA implementations, which usually is a
desirable model for a number of reasons. What you need is a
"cooperative" DSA administrator that agrees to use only a subset of the
ACL semantics so that their effect can be computed a priori, without any
knowledge of the values that are/will be stored in the attributes.
Under this assumption, implementing the feature you desire should be
straightforward.
Or you simply ignore checks for value when evaluating the ACL, and
declare that the attribute may be written to if there is any possible
valid value.
That should be enough for GUI writers to use for simple user-feedback,
with a more detailed error reported to a user on the actual modify
failure.
I've just written a toy module for OpenLDAP (HEAD; haven't checked with
earlier versions) that returns the allowedAttributes and
allowedAttributesEffective based on the assumption that ACLs do not
depend on attribute values. You can download it from
<http://www.sys-net.it/~ando/Download/allowed.c>. Its transposition to
FDS __should__ be straightforward. I plan to submit it as a contrib to
OpenLDAP. BTW, can you point me to the schema definition of
allowedAttributes and allowedAttributesEffective?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@xxxxxxxxxx
------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
