[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: child modification
- To: openldap-devel@OpenLDAP.org
- Subject: Re: child modification
- From: "Efgé" <efge@mail.dotcom.fr>
- Date: 3 May 1999 19:37:15 -0000
- Organization: None
- References: <19990427230610.A18482@twilight.efge.org> <19990429231608.13775.qmail@twilight.efge.org> <37291024.2725E6A6@OpenLDAP.Org>
> Off topic: one drawback to your approach is that you have to rely
> on rootdn to deal with orphaned entries (entries with an invalid manager
> or no manager).
Yes. But I don't see it as a real problem : before copying the data
from the ldap server to the qmail database, I do a semantic check of the
contents of the directory (valid email adresses, no duplicates, etc.)
so it's easy to check for and report illegal manager entries.
> Before making "entry" ACLs a configurable option, I like to:
> 1) review other options
> 2) look at ways of integrating "entry" ACLs which protect
> against misconfiguration
>
> Here's one slight varient which might work out okay:
>
> add:
> require write to parent's "children"
>
> modrdn/delete:
> require write to parent's "children"
> AND, if entry acls enabled, write to entry's "entry".
>
> rename:
> require write to old and new parent's "children"
> AND, if entry acls enabled, write to entry's "entry".
This would work for me, and I believe it's a reasonable design.
Now that I think about it, I have something else to propose, which may
or may not have been discussed before on this list but I'm fairly new to
all this :
When I read the docs for the Netscape Directory server, I found an "add"
and a "delete" right in the access list.
I was quite surprised when I came to OpenLDAP to find no similar
concept, and I had to dig into the source to find out how "add" was
handled.
How difficult would it be to add such an access right ? Wouldn't it be a
cleaner way of dealing with all this ? Of course I may not be aware of
all the issues, maybe it's not flexible enough.
Also, is the strict ordering write > read > search > ... necessary ?
Couldn't we refine the rights in a non-strict ordering fashion, say :
add
delete
write (= modify only)
read
search
compare
selfwrite
maybe others I forget.
Or is all this mandated by the LDAP specs ?
While I'm on the topic, for those who know the code, how difficult would
it be to add netscape-like ACLs directly into the entries (the aci:
attribute) ?
http://devedge.netscape.com/docs/manuals/directory/dir40/ag/acl.htm
was very interesting to read.