On Mon, 2017-01-16 at 17:09 +0100, Ludwig Krispenz wrote:
> On 01/13/2017 06:24 PM, thierry bordaz wrote:
> > Hello,
> >
> > The option specifies the value of 'objectclass' attribute during the
> > GER. That is evaluated at attributeLevelRights but not at the
> > entryLevelRights. I was not able
On 01/13/2017 06:24 PM, thierry bordaz wrote:
Hello,
The option specifies the value of 'objectclass' attribute during the
GER. That is evaluated at attributeLevelRights but not at the
entryLevelRights. I was not able to fix the test case using this option.
For information I opened that
Hello,
The option specifies the value of 'objectclass' attribute during the
GER. That is evaluated at attributeLevelRights but not at the
entryLevelRights. I was not able to fix the test case using this option.
For information I opened that ticket
Hi,
if you look at:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html#ex-ger-non-entry
then it looks like you can provide GER a bit of information eg
objectclass of the new
Hi Fraser,
I failed to reproduce you test case, I mean the aci granted the add
right to a group member to ADD an entry with the filtered attribute.
Now I have a doubt to test attribute valule on an entry that does not
yet exist.
Would you run /usr/lib64/mozldap/ldapsearch -D "cn=directory
In ca_add.pre_callback, we have:
if not ldap.can_add(dn[1:]):
raise ACIError(...)
`can_add' uses the GetEffectiveRights control to see what rights the
user has.
When a user with the 'System: Add CA' permission attempts to add a
CA, the above ACIError gets raised. This is definitely a