On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote: > This patch is independent from my patches 0028-0031 and can be merged in > any order. > > This patch has a bug, but I can't figure it out. We need to set > nsslapd-access-userattr-strict on cn=config to "off". Uhmm what is the effect on ACL evaluation of changing this boolean ? I can;t figure out from your commit not from 389ds commit what exactly changes and how it impacts the security of the directory. I ask because I was planning on using userattr to protect some operations in the password plugin but was waiting due to bug: https://fedorahosted.org/389/ticket/47571 which is beeing resolved. I want to make sure your change won't change what this ACIs would allow. Is this option simply allowing the use of add/delete ACIs to be specified in conjunction with userattr, so that a user can add an attr only if it contains its own DN ? Will it allow the user to add multiple values to the same attr as long as one of the is the userDN ? O will it restrict that case ? (I know that ipaTokenOwner is a single-value attribute, but the mechanism you are enabling here is general, and I want to be sure of what the semantics are)