[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3625) [enhancement] per-operation ACLs

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3625) [enhancement] per-operation ACLs
From: Kurt@OpenLDAP.org
Date: Fri, 1 Apr 2005 21:10:16 GMT

At 12:52 PM 4/1/2005, ando@sys-net.it wrote:
>Kurt D. Zeilenga wrote:
>
>>What about modify operations which add entries, or
>>add operations that modify existing entries, or
>>delete operations that do searches, or searches
>>that do deletes?
>>
>>Is it the LDAP op code that matters here? or the
>>underlying DIT operation?  I think the latter.
>>  
>>
>Are you thinking about internal operations, as those performed by 
>syncrepl or things like that?

I'm thinking about operations extended by controls,
overlay/SLAPI games, etc..

>I understand your point, and in fact I'd 
>try to use the op code related to the operation requested by the client 
>(which is not what the code is doing right now) instead of that of the 
>current operation.  However, it is my understanding that whenever an 
>operation is doing something radically different (e.g., a search deletes 
>an entry) it is likely to be performed with some administrative 
>privileges (e.g. rootdn or so).
>
>>Maybe it would make more sense to divide "w"
>>into different kinds of writes?
>>  
>>
>Something like
>
>>  permission = "a" / ; add
>>               "d" / ; delete
>>               "e" / ; export
>>               "i" / ; import
>>               "n" / ; renameDN
>>               "b" / ; browseDN
>>               "t" / ; returnDN
>>               "r" / ; read
>>               "s" / ; search
>>               "w" / ; write (mod-add)
>>               "o" / ; obliterate (mod-del)
>>               "c" / ; compare
>>               "m" / ; make
>
>p.
>
>
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: (ITS#3625) [enhancement] per-operation ACLs
Next by Date: Re: (ITS#3625) [enhancement] per-operation ACLs
Index(es):
- Chronological
- Thread