Howard Chu wrote:
Kurt Zeilenga wrote:
On Sep 27, 2008, at 8:59 AM, Emmanuel Dreyfus wrote:
Hello
Right now, slapd ignore attribute ACL when performing an add operation.
I note that this is the expected behavior, been so for many, many years.
Yes, but it never really made much sense - it means you can be forbidden from modifying an existing record to contain certain privileged data, but not forbidden from creating records with privileged data. It makes sense to me that your ability to create particular data values should not depend on whether you're creating it for the very first time, or some subsequent time.
(Coming at it from the opposite direction, Delete of course requires you to permit the Delete even if certain attributes are read-only; since every entry contains read-only operational attributes, deletes would be impossible without this provision.)
Well, the user doesn't add operational attrs either, so it is perfectly symmetric that read-only attributes are automatically destroyed by users with "delete" permission on "entry".
In any case, I note that fixing this issue broke test006 (at least).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------