masar...@aero.polimi.it wrote: >> If the client wants to request via slapo-allowed which attributes are >> readable/writeable before adding another object class then object classes >> not >> yet part of the entry could be used if the client adds the object class >> name >> prefixed with @. This is an extension to the semantics but should not >> cause any >> problem with existing clients. > > with the current implementation of slapo-allowed, the client does not do > anything specific but requesting those special operational attributes.
Yes. That's what I've implemented. Well, what slapo-allowed and MS AD implement is limited anyway. E.g. no way to determine writeable attrs when adding new entries. > It is not clear to me how the semantics you propose should be activated. > If you mean that having some "@" + <objectClass> in the requested attrs > should populate the allowedAttributes and allowedAttributesEffective > attributes, I think it would be a significant distortion of the meaning of > the requested attributes. Yes, my suggestion was that slapo-allowed looks at the attr list in the search request for occurences of "@" + <objectClass>. And then use each <objectClass> (if not yet in the set of current object classes of the entry) to evaluate the accompanying attrs and put them into allowedAttributes and/or allowedAttributesEffective. Yes, that's a change in the current semantics. I now partially worked around the problem with new object classes in web2ldap by determining which attrs would be really new when adding a set of object classes enabling all the input fields for these new attrs. But off course that's not nice. > I'd rather favor defining a specific control request, that sort of > "mimics" adding some attributes, including objectClass values, to an > existing entry, so that allowedAttributes and allowedAttributesEffective > are populated accordingly. There are some implementations of the Get Effective Rights control but they seem to slightly differ. Ciao, Michael.
