[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6198) Authorization for extensions

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6198) Authorization for extensions
From: hyc@symas.com
Date: Tue, 7 Jul 2009 08:57:23 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Michael Ströder wrote:
> hyc@OpenLDAP.org wrote:
>> Full_Name: Howard Chu
>> Version: HEAD/2.5
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (76.91.220.157)
>> Submitted by: hyc
>>
>>
>> The access control mechanism needs to be extended to control actions, not just
>> objects, to control who may use various LDAP Controls and Extended Operations.
>
> +1
>
>> E.g.
>>    access to control=<oid>  by<who>
>>    access to op=<operation or oid>  by<who>
>                    ^^^^^^^^^
> What is "operation" supposed to be? I'd prefer only to allow "oid" since
> OIDs are the only identifiers clearly specified in RFCs and I-Ds.

Ugh, no. There's no way any sysadmin is going to remember what each OID means. 
Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, etc.

Don't make the same mistake the original LDAP implementers did - numeric OIDs 
are for machine consumption only; they should always be mapped to mnemonic 
names for use by humans. (Technically they should be mapped to *localized* 
names; obviously the names were not intended to be part of the protocol 
specification. This is another glaring flaw in the LDAP specifications...)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6198) Authorization for extensions
Next by Date: Re: (ITS#6198) Authorization for extensions
Index(es):
- Chronological
- Thread