Full_Name: Pierangelo Masarati Version: HEAD OS: irrelevant URL: ftp://ftp.openldap.org/incoming/pierangelo-masarati-2006-11-03-allowed.c Submission from: (NULL) (81.72.89.40) Submitted by: ando
This overlay provides simple support for allowedAttributes and allowedAttributesEffective, a (somewhat broken) AD feature that is intended to help GUIs into determining, based on the current objectClass values of an object, what attributes would comply with the schema (without distinction between "allowed" and "required"), by listing them in "allowedAttributes", and, furthermore, by providing a hint to what of those values could be effectively added by the current connection, by listing them in "allowedAttributesEffective". This is broken since it doesn't consider the possibility of value-dependent ACLs, so it should really be considered just a hint, while the "allowedAttributes" could really be computed starting from the schema definition, which remains the recommended way to solve the problem
So this overlay should really be considered only food for thought as a starting base for a tighter integration of OpenLDAP into Samba4.
There's minimal support for "allowedChildClasses" and "allowedChildClassesEffective", whose definition is absolutely obscure to me, as I believe the only classes that can be added to an existing object are all the AUXILIARY ones, while considering what are effectively allowed implies getting into value-dependent ACLs.
Some discussion can be found here (follow the thread) http://www.redhat.com/archives/fedora-directory-devel/2006-November/msg00000.html while portions of the schema definition has been taken from here http://www.redhat.com/archives/fedora-directory-devel/2006-August/msg00007.html
p.