[Date Prev][Date Next] [Chronological] [Thread] [Top]

extended acl



i've a scenario has such:

i've users in the region of 200K to 500k.
their dn looks like:
      dn: mail=userid@domain.com

each of these users can create his own
private address book, which form records
from his subtree.
      dn: mail=friend1@fox.com, mail=user1@domain.com
      dn: mail=friend2@box.com, mail=user1@domain.com

(user1@domain.com has two persons: friend1@fox.com
 and friend2@box.com in his private addr book)

therefore all in all, i've up to 500K subtrees.

each user can only look/search/write to his record
and his records in his addr book subtree.

---------

now with umich ldap/openldap acl format, i need
nothing short of 500k acl entries.

on looking over netscape aci/acl format, they
have some kind of inheritance matching. the acl
for the addr book records is

  access to dn="mail=[^,]+,mail=[^,]+"
         by parent write
         by .*     none

of cos to protect the base 500k users, we've

  access to dn="^mail=[^,]+$"
         by self write
         by .*   none

---------

my question is, is anyone extending on openldap's
acl?

support a new keyword "parent" might do it.

comments? email.