--On Wednesday, February 14, 2007 12:24 AM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Alex Samad wrote:
On Tue, Feb 13, 2007 at 06:50:02PM +0100, Pierangelo Masarati wrote:
Turbo Fredriksson wrote:
I'm not quite sure how it is SUPPOSED to work, but from my view, it's broken - ACI's don't work with re23 which is a stable release... ? Using ACI's, I have to access to create objects - that's what I see any way...
Well, nobody knows how it's supposed to work, since the expected behavior is undocumented.
Hi
Is there any doco on this, I don't know anything about it, could your provide a pointer to some info.
Browse http://www.openldap.org/faq/data/cache/1284.html in general for OpenLDA access control customization capabilities, and http://www.openldap.org/faq/data/cache/758.html for more details about ACIs. Note, that document is pretty old; something changed across time (which caused this thread, BTW). ACIs need to be documented; our reluctance also stems from the consideration that good documentation would encourage rather than discourage their use... anyway, volunteers are welcome.
I am presume this is a way of apply acl's to objects ?
Yes (experimental, deprecated and discouraged).
I think this is the very important part here -- deprecated and discouraged. I'd argue that long term, ACI support should be removed entirely (perhaps for 2.5?). The entire concept of ACI's is broken.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html