[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6198) Authorization for extensions

To: openldap-its@openldap.org
Subject: (ITS#6198) Authorization for extensions
From: hyc@OpenLDAP.org
Date: Tue, 7 Jul 2009 02:38:18 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Howard Chu
Version: HEAD/2.5
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.91.220.157)
Submitted by: hyc


The access control mechanism needs to be extended to control actions, not just
objects, to control who may use various LDAP Controls and Extended Operations.

E.g.
  access to control=<oid> by <who>
  access to op=<operation or oid> by <who>

Perhaps the control= / op= specifier should be usable in combination with the
other <what> specifiers; I haven't thought too deeply about it. It only makes
sense in limited contexts, since various extensions may not even affect any
particular directory object.

Prev by Date: Re: (ITS#6164) send_ldap_ber() spins holding c_write1_mutex
Next by Date: Re: (ITS#6198) Authorization for extensions
Index(es):
- Chronological
- Thread