[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
extended acl
i've a scenario has such:
i've users in the region of 200K to 500k.
their dn looks like:
dn: mail=userid@domain.com
each of these users can create his own
private address book, which form records
from his subtree.
dn: mail=friend1@fox.com, mail=user1@domain.com
dn: mail=friend2@box.com, mail=user1@domain.com
(user1@domain.com has two persons: friend1@fox.com
and friend2@box.com in his private addr book)
therefore all in all, i've up to 500K subtrees.
each user can only look/search/write to his record
and his records in his addr book subtree.
---------
now with umich ldap/openldap acl format, i need
nothing short of 500k acl entries.
on looking over netscape aci/acl format, they
have some kind of inheritance matching. the acl
for the addr book records is
access to dn="mail=[^,]+,mail=[^,]+"
by parent write
by .* none
of cos to protect the base 500k users, we've
access to dn="^mail=[^,]+$"
by self write
by .* none
---------
my question is, is anyone extending on openldap's
acl?
support a new keyword "parent" might do it.
comments? email.