[Date Prev][Date Next] [Chronological] [Thread] [Top]

Specific add, delete rights vs. children/entry

To: openldap-devel@OpenLDAP.org
Subject: Specific add, delete rights vs. children/entry
From: Mark Valence <kurash@sassafras.com>
Date: Thu, 19 Aug 1999 13:26:11 -0400
In-reply-to: <3.0.5.32.19990817223302.009577b0@localhost>
References: <3.0.5.32.19990817202001.00966500@localhost> <3.0.5.32.19990817202001.00966500@localhost> <3.0.5.32.19990817223302.009577b0@localhost>

I think it would be pretty straightforward to change from using the "children" attribute as access control for adding, deleting and modrdn'ing. What I propose is that -- internally -- slapd use something more akin to the add/delete/editDN rights from draft-ieft-ldapext-acl-model-03.txt. By internally, I mean that the ACLs can still use "children" to limit access for these operations, but backends would not use this pseudo-attribute to determine access rights. This would only effect the ldbm and bdb2 backends. This would make it easy for ACIs to restrict access based on add/delete/editDN rights.

Any comments?

Mark.

References:
- Re: Implementing object-based access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: OpenLDAP-2.0-alpha & varargs or stdarg
Next by Date: Re: OpenLDAP-2.0-alpha & varargs or stdarg
Index(es):
- Chronological
- Thread