Re: filters in ldapACI (WAS Re: I-D ACTION:draft-ietf-ldapext-acl-model-06.txt)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Rob,

Instead of a filter restricted to object classes, why not
reintroduce collections concept, but define collections
as being a collection of object classes?  The ACI would apply
to all attributes allowed by any of the object classes within
the collection.

Kurt


At 04:45 PM 7/21/00 +0200, Rob Byrne - Sun Microsystems wrote:
>   
> Haripriya, 
>
> You are right that there is no way to do this in the current draft. 
> I think it's a useful feature and should probably be added. 
>
> It involves adding the capability to specify an LDAP filter (restricted
> to objectclass only ?) to the ldapACI. 
>
> Rob. 
> >  In the current model of ACL I cannot find how to actually set
> > ACLs for a 'to be created
> >  entry' based on its objectClass. For example, I may want a set of
> > ACLs to be present for all
> >  the objects of type inetorgperson, to expose certain attributes by
> > default to even an
> >  unauthenticated user. It would help in this case, if I have
> > mechanism's to set ACLs for the
> >  objectclass itself, so that any entry of that class created
> > automatically gets these ACLs.
> >  The other alternative would be for me to set these ACLs at one
> > parent with scope subtree and
> >  let all the entries under that parent inherit these ACLs. But this
> > would not let me
> >  distinguish by objectclass ( I may want to expose cn for
> > inetorgperson but not for
> >  residentialperson by default). Does anybody have ideas on this?
> >   
> >  Thanks and Regards,
> >  Haripriya