[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: filters in ldapACI (WAS Re: I-D ACTION:draft-ietf-ldapext-acl-model-06.txt)



 
Haripriya,

You are right that there is no way to do this in the current draft.  I think it's a useful feature and should probably be added.

It involves adding the capability to specify an LDAP filter (restricted to objectclass only ?) to the ldapACI.

Rob.

 In the current model of ACL I cannot find how to actually set ACLs for a 'to be created
 entry' based on its objectClass. For example, I may want a set of ACLs to be present for all
 the objects of type inetorgperson, to expose certain attributes by default to even an
 unauthenticated user. It would help in this case, if I have mechanism's to set ACLs for the
 objectclass itself, so that any entry of that class created automatically gets these ACLs.
 The other alternative would be for me to set these ACLs at one parent with scope subtree and
 let all the entries under that parent inherit these ACLs. But this would not let me
 distinguish by objectclass ( I may want to expose cn for inetorgperson but not for
 residentialperson by default). Does anybody have ideas on this?
  
 Thanks and Regards,
 Haripriya