Russ Allbery wrote:
So, that behavior of letting the dynlist or dyngroup overlay do a
query
that the user querying the group tree is not themselves permitted to make
is exactly what we need, since we can then use the more granular access
control possible on the separate group dns to implement control over
entitlement visibility that's otherwise annoying to represent.
The dgAuthz/dgPolicy stuff that Ando proposed doesn't preclude what you want
to
do. I just am not convinced yet that dgAuthz is necessary. The code I just
committed for dynlist.c leaves that out for now, we can add it later if the
consensus is that it's useful.
--
-- Howard Chu
Chief Architect, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/