Pierangelo Masarati wrote:
I have another issue in mind: given the above specification, if the same derefAttr appears in more than one DerefSpec, one could hardly tell which DerefSpec one DerefRes belongs to. For example:request: { { member { cn, sn } }, { member { uid } } } response: { { member, "cn=ando" }, { member, "cn=ando" } } because the client's identity had read access to entryDN but not to cn, sn, uid attrs, we'd have a duplicate result. Of course, this could have been much better formulated as request: { { member { cn, sn, uid } } } response: { { member, "cn=ando" } } for this reason I'm inclined towards requesting that each derefAttr in a sequence of DerefSpec to be unique.
Yes, that should be a requirement. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
