Hi,
What about trying to modify/delete it with the noop control?
that is a good tip, thank you at all. i will try to implement this, but i think this is some kind of "hack" anyway. additionally i will check if a solution with the aci's is also possible.
googling around i've found a control named "effective rights": https://opends.dev.java.net/public/standards/draft-ietf-ldapext-acl-model.tx...
is this supported by openldap?
many thanks for your suggestion regards, s.
----- "Simon Victor" simon@victornet.de wrote:
Hi,
What about trying to modify/delete it with the noop control?
that is a good tip, thank you at all. i will try to implement this, but i think this is some kind of "hack" anyway. additionally i will check if a solution with the aci's is also possible.
googling around i've found a control named "effective rights": https://opends.dev.java.net/public/standards/draft-ietf-ldapext-acl-model.tx...
is this supported by openldap?
No. But there's this http://www.openldap.org/its/?findid=4730. It's a contrib overlay that provides some information about accessibility. As expected, the information it can gather is not guaranteed to be correct, it's a best guess. As I already said, the only possibility to determine access rights consists in trying.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Simon Victor wrote:
What about trying to modify/delete it with the noop control?
that is a good tip, thank you at all.
While using the noop control may be helpful for checking whether an entry could be deleted (or another all-or-nothing operation) it's not helpful to determine which attributes may be modified.
I'm really curious to know what you really want to achieve.
Ciao, Michael.
While using the noop control may be helpful for checking whether an entry could be deleted (or another all-or-nothing operation) it's not helpful to determine which attributes may be modified.
I'm really curious to know what you really want to achieve.
Acl's at attribute-level are unimportant for me. I plan to develop a gui which helps to maintain some entries in an (open)ldap directory. For example, the application should show a delete button if a had "effectiveRights" to delete the specified entry.
Regards Simon.
----- "Michael Ströder" michael@stroeder.com wrote:
Simon Victor wrote:
What about trying to modify/delete it with the noop control?
that is a good tip, thank you at all.
While using the noop control may be helpful for checking whether an entry could be deleted (or another all-or-nothing operation) it's not
helpful to determine which attributes may be modified.
Why not? Yes, it's going to tell whether a full set of modifications will either succeed or fail, but nothing prevents you from performing repeated modifications. Yet you might fall into the perverse situation where subsequent modifications are conditioned on attribute values that previous modifications would have altered. That's one of the reasons predicting access privileges is not possible, unless access to the rules is given.
I'm really curious to know what you really want to achieve.
Me too, moderately.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
----- "Michael Ströder" michael@stroeder.com wrote:
Simon Victor wrote:
What about trying to modify/delete it with the noop control?
that is a good tip, thank you at all.
While using the noop control may be helpful for checking whether an entry could be deleted (or another all-or-nothing operation) it's not helpful to determine which attributes may be modified.
Why not? Yes, it's going to tell whether a full set of modifications will either succeed or fail, but nothing prevents you from performing repeated modifications.
Hmm, given the number of possible attributes in various combinations of object classes a LDAP client testing this with the noop control would be a real resource hog.
Yet you might fall into the perverse situation where subsequent modifications are conditioned on attribute values that previous modifications would have altered. That's one of the reasons predicting access privileges is not possible, unless access to the rules is given.
Well, if in doubt the server should return 'unknown' or if that's not possible 'write'.
Ciao, Michael.
openldap-software@openldap.org
-
Michael Ströder -
Pierangelo Masarati -
Simon Victor