Pierangelo Masarati ando@sys-net.it wrote:
Unless one uses authzTo/authzFrom as a naming attribute, I don't see any issue. I haven't checked, but I believe modrdn already needs to comply with ACLs in a manner that allows finge-grain enough control. In fact, modrdn needs to pass access control both for the old and the new (r)dn, and the use of filters, sets and so allows to condition access on the entry's content.
Looking at the code for back-bdb, it requires you have: - write access to old parent - write access to new superior parent - write access to old entry - and there is a call to bdb_modify_internal() that will check for attribute ACL, and it this seems to be for the old location in the tree, not the new one.
So if you have an attribute ACL that applies only to the new location, it can be circunvented by a modrdn. I am not sure this is really a bug, though, perhaps just an unspecfied area.