Quanah Gibson-Mount wrote:
--On Tuesday, November 05, 2013 5:42 PM +0100 Hans Freitag zem@fnordpol.de wrote:
Not to use an evil client is no option to me.
Don't give the user manage privileges...
Doesn't that affect rather the use of Relax Rules control (formerly known as Manage DIT control)?
I think the (ab)use of Manage DSA IT control to circumvent constraint(s) is somewhat historic because at that time in the past [1] was not available yet. This resulted in a control-against-constraint mess.
It should be consequently replaced by applying Relax Rules control including properly checking the manage privilege.
BTW: Still the OID of the Relax Rules control contains this experimental OID *.666.* cruft. Maybe it's the time to proceed with the draft and define a proper OID.
How about discussing this at LDAPcon in Paris? (might also fit in my presentation...)
Ciao, Michael.