Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by hyc@symas.com
Michael Ströder wrote:
> hyc(a)symas.com wrote:
>> masarati(a)aero.polimi.it wrote:
>>> On 01/15/2013 07:40 PM, michael(a)stroeder.com wrote:
>>>
>>>> Please consider the attached patch which sets allowed
>>>> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
>>>> ble
>>>> to what's set for entryTTL in slapo-dds.
>>>
>>> No objection with this patch, since those properties were "arbitrarily"
>>> assigned to attributes defined by others to provide software
>>> interoperability. Unless anyone has objections, I'd commit it.
>>
>> Go ahead. Please add a comment about the origin of the schema definitions and
>> these interoperability concerns.
>
> These attribute type descriptions were roughly taken from MS AD.
I meant, please add a comment *in the patch* so it will remain in the source code.
> Today I've checked the subschema of a W2K8R2 AD server:
> I did not find a single attribute type description with USAGE although there
> were attribute types formally defined in RFCs. One example is 'entryTTL'
> defined with "USAGE dSAOperation" in RFC 2589 which in fact was co-authored by
> Microsoft employees.
>
> The official Microsoft documentation is here [MS-ADA1]:
>
> http://msdn.microsoft.com/en-us/library/cc219752.aspx
>
> Ciao, Michael.
>
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by michael@stroeder.com
hyc(a)symas.com wrote:
> masarati(a)aero.polimi.it wrote:
>> On 01/15/2013 07:40 PM, michael(a)stroeder.com wrote:
>>
>>> Please consider the attached patch which sets allowed
>>> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
>>> ble
>>> to what's set for entryTTL in slapo-dds.
>>
>> No objection with this patch, since those properties were "arbitrarily"
>> assigned to attributes defined by others to provide software
>> interoperability. Unless anyone has objections, I'd commit it.
>
> Go ahead. Please add a comment about the origin of the schema definitions and
> these interoperability concerns.
These attribute type descriptions were roughly taken from MS AD.
Today I've checked the subschema of a W2K8R2 AD server:
I did not find a single attribute type description with USAGE although there
were attribute types formally defined in RFCs. One example is 'entryTTL'
defined with "USAGE dSAOperation" in RFC 2589 which in fact was co-authored by
Microsoft employees.
The official Microsoft documentation is here [MS-ADA1]:
http://msdn.microsoft.com/en-us/library/cc219752.aspx
Ciao, Michael.
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by hyc@symas.com
masarati(a)aero.polimi.it wrote:
> On 01/15/2013 07:40 PM, michael(a)stroeder.com wrote:
>
>> Please consider the attached patch which sets allowed
>> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
>> ble
>> to what's set for entryTTL in slapo-dds.
>
> No objection with this patch, since those properties were "arbitrarily"
> assigned to attributes defined by others to provide software
> interoperability. Unless anyone has objections, I'd commit it.
Go ahead. Please add a comment about the origin of the schema definitions and
these interoperability concerns.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by masarati@aero.polimi.it
On 01/15/2013 07:40 PM, michael(a)stroeder.com wrote:
> Please consider the attached patch which sets allowed
> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
> ble
> to what's set for entryTTL in slapo-dds.
No objection with this patch, since those properties were "arbitrarily"
assigned to attributes defined by others to provide software
interoperability. Unless anyone has objections, I'd commit it.
Thanks, p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano
10 years, 10 months
Re: (ITS#7490) Security weakness in sha2 password module
by quanah@zimbra.com
--On Friday, January 11, 2013 6:19 AM +0000 mhardin(a)symas.com wrote:
> Full_Name: Matthew Hardin
> Version: 2.4.33+
> OS: All
> URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt
> Submission from: (NULL) (69.43.206.100)
>
>
> contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers
> and zeros them out in several places using the following macro:
>
> MEMSET_BZERO(context, sizeof(context))
>
> The variable 'context' is a pointer to a context buffer, so sizeof will
> evaluate to the size of a pointer for the particular platform. As a
> result, the context buffer is only partially zeroed.
>
> The correct invocation is:
>
> MEMSET_BZERO(context, sizeof(*context))
>
> which will zero out the complete context buffer.
>
> The referenced diff details the changes to sha2.c that are necessary to
> correct this issue.
>
> Note this also cleans up warnings reported by MacOS's clang compiler.
>
> I, Matthew Hardin, hereby place the following modifications to OpenLDAP
> Software (and only these modifications) into the public domain. Hence,
> these modifications may be freely used and/or redistributed for any
> purpose with or without attribution and/or other notice.
Can you resubmit the patch using git-format-patch? Or at least using
unified diff format? ;)
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated (re-sent)
by michael@stroeder.com
This is a multi-part message in MIME format.
--------------090002030703010005000105
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
(Re-sent without S/MIME signature to make ITS software happy)
Please consider the attached patch which sets allowed
"USAGE dSAOperation". This seems to be the most appropriate USAGE comparable
to what's set for entryTTL in slapo-dds.
I, Michael Ströder, hereby place the attached modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
Ciao, Michael.
--------------090002030703010005000105
Content-Type: text/x-patch;
name="openldap_its7493.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="openldap_its7493.patch"
diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c
index b44461a..0099b70 100644
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -73,7 +73,7 @@ static struct {
/* added by me :) */
"DESC 'Child classes allowed for a given object' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedChildClasses },
+ "USAGE dSAOperation )", &ad_allowedChildClasses },
{ "( " AA_SCHEMA_AT ".912 "
"NAME 'allowedChildClassesEffective' "
"EQUALITY objectIdentifierMatch "
@@ -81,7 +81,7 @@ static struct {
/* added by me :) */
"DESC 'Child classes allowed for a given object according to ACLs' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedChildClassesEffective },
+ "USAGE dSAOperation )", &ad_allowedChildClassesEffective },
{ "( " AA_SCHEMA_AT ".913 "
"NAME 'allowedAttributes' "
"EQUALITY objectIdentifierMatch "
@@ -89,7 +89,7 @@ static struct {
/* added by me :) */
"DESC 'Attributes allowed for a given object' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedAttributes },
+ "USAGE dSAOperation )", &ad_allowedAttributes },
{ "( " AA_SCHEMA_AT ".914 "
"NAME 'allowedAttributesEffective' "
"EQUALITY objectIdentifierMatch "
@@ -97,7 +97,7 @@ static struct {
/* added by me :) */
"DESC 'Attributes allowed for a given object according to ACLs' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedAttributesEffective },
+ "USAGE dSAOperation )", &ad_allowedAttributesEffective },
/* TODO: add objectClass stuff? */
--------------090002030703010005000105--
10 years, 10 months
Re: (ITS#7494) dynlist overlay and DSAmanageIT control
by masarati@aero.polimi.it
> Full_Name: Jon Kidder
> Version: 2.4.33
> OS: RHEL 5.0
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (167.239.222.81)
>
>
> I have discovered that the dynamic list overlay in 2.4.33 refuses to
> supply
> defined dynamic attributes when the DSAmanageIT control is present in a
> search
> request.
How did you discover it, by reading the slapo-dynlist(5) manpage? This
has been slapo-dynlist's behavior by design from the beginning. The
manageDSAit control is used to inhibit dynamic list expansion and access
the actual content of the entry instead (e.g. for DSAit management
purposes).
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms020008020506010505010302
Content-Type: multipart/mixed;
boundary="------------080000060105060705050402"
This is a multi-part message in MIME format.
--------------080000060105060705050402
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Please consider the attached patch which sets allowed
"USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
ble
to what's set for entryTTL in slapo-dds.
I, Michael Str=F6der, hereby place the attached modifications to OpenLDAP=
Software (and only these modifications) into the public domain. Hence, th=
ese
modifications may be freely used and/or redistributed for any purpose wit=
h or
without attribution and/or other notice.
Ciao, Michael.
--------------080000060105060705050402
Content-Type: text/x-patch;
name="openldap_its7493.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="openldap_its7493.patch"
diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modu=
les/allowed/allowed.c
index b44461a..0099b70 100644
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -73,7 +73,7 @@ static struct {
/* added by me :) */
"DESC 'Child classes allowed for a given object' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedChildClasses },
+ "USAGE dSAOperation )", &ad_allowedChildClasses },
{ "( " AA_SCHEMA_AT ".912 "
"NAME 'allowedChildClassesEffective' "
"EQUALITY objectIdentifierMatch "
@@ -81,7 +81,7 @@ static struct {
/* added by me :) */
"DESC 'Child classes allowed for a given object according to ACLs' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedChildClassesEffective },
+ "USAGE dSAOperation )", &ad_allowedChildClassesEffective },
{ "( " AA_SCHEMA_AT ".913 "
"NAME 'allowedAttributes' "
"EQUALITY objectIdentifierMatch "
@@ -89,7 +89,7 @@ static struct {
/* added by me :) */
"DESC 'Attributes allowed for a given object' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedAttributes },
+ "USAGE dSAOperation )", &ad_allowedAttributes },
{ "( " AA_SCHEMA_AT ".914 "
"NAME 'allowedAttributesEffective' "
"EQUALITY objectIdentifierMatch "
@@ -97,7 +97,7 @@ static struct {
/* added by me :) */
"DESC 'Attributes allowed for a given object according to ACLs' "
"NO-USER-MODIFICATION "
- "USAGE directoryOperation )", &ad_allowedAttributesEffective },
+ "USAGE dSAOperation )", &ad_allowedAttributesEffective },
=20
/* TODO: add objectClass stuff? */
=20
--------------080000060105060705050402--
--------------ms020008020506010505010302
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC
BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG
EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM
MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF
MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M
VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K
b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/
kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB
1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC
EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0
Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw
QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1
c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/
BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2
KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj
Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M
MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK
KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR
GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4
B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ
FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx
QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw
ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl
ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ
MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV
BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz
IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt
5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z
5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH
hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1
3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst
smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB
BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv
dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p
dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ
dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB
MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E
gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k
ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu
dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy
MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE
m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV
0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz
UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9
ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X
iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU
QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD
bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwMTE1MTg0MDAwWjAjBgkq
hkiG9w0BCQQxFgQUpoVTENSoP9NXF741WIXk6TTjK0gwbAYJKoZIhvcNAQkPMV8wXTALBglg
hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq
hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP
MHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL
ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl
ciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wgaIGCyqGSIb3DQEJEAILMYGS
oIGPMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENl
bnRlciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wDQYJKoZIhvcNAQEBBQAE
ggEAnErBsB1Irvgi6SFHujzKoEbcOV6VxNDlc7dGSZtr55YPnJ0vvZjPOpXpQ/o+SpeUswFp
dLLv1RSwdL/ahZ9L5FFVMcbX9khvD+1beRYFFkhGg/UuVHEQWdZnRRacUT+v93tj9t4Sr526
Wcn7K0if4KtLCkPh0sh4MilBSLScENbWJppsr2sq/K5zy9R0u1XAev2R2qnhlsdnCEqfoLQ3
gISQIM+wmAbn+Az6TYw/vabVYA/pKM4Fbiah3sRfrItVPDMOzYm59CyfjFrjvTSZcH93lUmx
iC3GYilhfuyHS9RxO6wIbIjje41x4+Ogm/3FSgfPl6IkiOZepAMHHeiXOQAAAAAAAA==
--------------ms020008020506010505010302--
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by michael@stroeder.com
On Tue, 15 Jan 2013 13:37:06 GMT masarati(a)aero.polimi.it wrote
> Their value depends on ACLs, so in order to reflect ACLs on a specific
> DSA they should be generated; however, I concur ACLs should not depend
> on the specific DSA of a replication setup.
BTW: It does make sense to have different ACLs on different replicas!
Think of a master with fine-grained ACLs for entry management and read-only
consumers with simpler ACLs for better performance.
Ciao, Michael.
10 years, 10 months
