> aci attribute must be a parent/ancestor of both the target_to DN and
> the target_from DN?
>
>> Also what to do if 'target_to'/'target_from' are missing, to replace
>> them with the entry DN having the aci ?
>
> I think it would be better to have to specify both target_to and
> target_from - that way there is no ambiguity.
>
> You still have to handle the problem of referential integrity e.g.
> what if someone renames target_from or target_to?
>
But this is a general problem already: if you have an aci in
dc=example,dc=com with a normal target "ou=people,dc=example,dc=com" and
you rename ou=people the aci is not changed. The same is true in
bindrules if you have an allow for userdn=ldap:///cn=x,ou=y,o=suffix and
move cn=x to ou=z the bind rule no longer applies.
--
389-devel mailing list
389-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel
No comments:
Post a Comment