[Date Prev][Date Next] [Chronological] [Thread] [Top]

attribute for 'access to filter=...'

To: openldap-devel@OpenLDAP.org
Subject: attribute for 'access to filter=...'
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sat, 16 Apr 2005 12:04:36 +0200

I wonder if OpenLDAP should define an operational attribute intended
to be used for 'filter=' and 'set=' access controls?  Maybe just with
string syntax, more or less free-form contents chosen by the admin.

Our LDAP project is about to define an attribute for filter= and I've
seen others need it, but since its functionality is implementation-
specific it doesn't quite seem to belong in an organization's or LDAP
project's schema.  In particular if the organization has no other
private schema elements...

E.g. one could use things like

   access to filter=(OpenLDAPobjectAccess=invisible) by self write

or a few statements like

   access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
             attrs=userPassword
          by group=cn=localadm,cn=groups,dc=example,dc=com =xw
          by * auth

or

  access to attrs=x,y,z by set="([foo] | [bar] | [baz])
		                & user/OpenLDAPobjectAccess
		                & this/OpenLDAPobjectAccess" write
  (though a group memberOf attribute might be better in that case.)

-- 
Hallvard

Follow-Ups:
- Re: attribute for 'access to filter=...'
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: attribute for 'access to filter=...'
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: (ITS#3616) Syncrepl and rootless installations
Next by Date: Re: attribute for 'access to filter=...'
Index(es):
- Chronological
- Thread