Not sure what you mean. Do you mean the entry in which you set the
aci attribute must be a parent/ancestor of both the target_to DN and
the target_from DN?
Also what to do if 'target_to'/'target_from' are missing, to replace
them with the entry DN having the aci ?
I think it would be better to have to specify both target_to and
target_from - that way there is no ambiguity.
You still have to handle the problem of referential integrity e.g.
what if someone renames target_from or target_to?
But this is a general problem already: if you have an aci in
dc=example,dc=com with a normal target "ou=people,dc=example,dc=com" and
you rename ou=people the aci is not changed. The same is true in
bindrules if you have an allow for userdn=ldap:///cn=x,ou=y,o=suffix and
move cn=x to ou=z the bind rule no longer applies.
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
