David Bussenschutt <d.b...@ma...> wrote:
> Actually, what I want to do is change the attributes that are returned so
> that it returns what are currently considered by my server to be (I guess)
> operational attributes.
>
> You see, if I do a LDAP search in my NDS tree, I only get a very limited
> list of attributes returned when I request '*', but if I request them by
> name...no probs. There are many attributes that I would have expected a
> normal search to return. (like whether an account is locked or not)
>
> So, what I want is not to ADD another attribute, and control it's access
> with an ACL, but MODIFY existing attributes so that they are more visible.
> Is this part of a system ACL too?
>
> David.
>
>
> At 05:58 PM 8/10/00 -0500, you wrote:
>> What you want to do should be accomplished via an ACL , not an
>> operational attribute.
>> From my understanding an operational attribute is one that is determined
>> by the sever and is not attatched to the entry. And they can cause a load
>> on the server to generate them, thus you don't want them returned unless
>> they're specifically requested & you probably don't want them allowed to
>> just anyone.
>>
>> Mark
>>
>> On Fri, 11 Aug 2000, David Bussenschutt wrote:
>>
>>> What mechanism does a server use to decide what is an operational
>>> attribute, and what is not? Can I add operational attributes? (ie not
>>> have them returned in a normal search unless explicitly requested)
>>>
>>> David.
I didn't see the original message, so I'm going to comment on both at the
same time.
The schema defined in the server defines which attributes are operational,
and which are not. (Non-operational attributes are called user attributes.)
So can you add operational attributes? Depends on what you mean by "you".
The administrator of the server *may* be able to do this.
A normal person cannot.
You should certainly not attempt to change anything that is in a standard
schema from being a user attr to an operational attr or vice versa.
Attributes are often marked as operational because they are treated
differently by the server, so changing things here might completely confuse
the directory server! I would recommend trying to work 'with' the directory
server rather than 'against' it, which is what it seems you're trying to do.
Access controls are a separate issue. Because operational attributes are
just attributes, they are subject to any access controls that grant or deny
access to them, the same as access controls for other attributes.
As to why your server's not returning attributes you think are user
attributes, well you could check the server's schema to see if they are or
not. If they are user attributes, and you can only get the attributes by
getting them explicitly, then I think you should report a bug to the server
vendor.
|
