directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [jira] Created: (DIRSERVER-1169) Access control don't apply to the rootDSE
Date Tue, 06 May 2008 13:47:53 GMT
Ahh great points Howard!  I did not at all think of these use cases and they
make perfect sense.  Sounds though this is not an absolute must be something
we can take our time in implementing.  Perhaps it's  better to take more
time doing it right with partition nesting than finding a quick hack to make
this work right now.

Thanks again!
Alex

On Tue, May 6, 2008 at 9:40 AM, Howard Chu <hyc@symas.com> wrote:

> Alex Karasulu wrote:
>
> > No need to quote the RFC with me, I know that it can be subject to
> > access control - read my question. You know of situations when it is
> > actually set to anything but read-only by everyone?
> >
>
> There are cases where MacOS admins remove access to the
> supportedSASLMechanisms attribute, to prevent the clients from attempting
> SASL Binds. I don't recall all the reasons behind it, but suffice to say
> it's mostly just a bandaid over a buggy SASL implementation.
>
> You may also want to hide certain values from the
> supportedControls/supportedExtensions attributes, so that only particularly
> authenticated clients can see certain controls. (And furthermore you may
> want to prevent these controls/extensions from being used by various
> users...)
>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>

Mime
View raw message