[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3625) [enhancement] per-operation ACLs
Kurt@OpenLDAP.org wrote:
>what out for manage (m) and disclose (d) permissions.
>
>
without any intention to revitalize the <draft-ietf-ldapext-acl-model>,
to fulfil the requirement of this ITS we should at least borrow some of
its concepts. I note that our (d) borrows (and may partially extend)
the "t: returnDN" privilege of that draft, while our (m) is not
paralleled, at least in the broad (and loose) meaning we're discussing,
like allowing the structuralObjectClass to be changed and so.
There's a lot of granularity we may want to borrow (perhaps too much) in
Permissions which apply to attributes:
...
w Write Modify-add values
o Obliterate Modify-delete values
...
m Make Make attributes on a new entry below
this entry
and in
a Add Add an entry below this entry
d Delete Delete this entry
e Export Export entry & subordinates to new
location
i Import Import entry & subordinates from some
location
n RenameDN Rename an entry's DN
I think the "i: Import" and "e: Export" are a (perhaps excessive)
granularization of (m) manage, yet some extra management granularity and
generality is missing to account for other non-user allowed internal
operations.
Finally, the granular options should be logically grouped under the
umbrella of the current OpenLDAP privileges, to ease transition and in
general configuration whenever grnularity is not needed.
So (using the extended names to avoid confision):
OpenLDAP draft-ietf-ldapext-acl-model
disclose returnDN (and more)
auth n.a.
search Search
compare Compare
read Read, BrowseDN
write Write, Obliterate, Make, Add, Delete, RenameDN
manage Export, Import (and more)
If there's consensus on implementing all (or some) of these, and on the
grouping I can (fast?)prototype an implementation.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497