[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute for 'access to filter=...'



Hallvard B Furuseth wrote:

I wonder if OpenLDAP should define an operational attribute intended
to be used for 'filter=' and 'set=' access controls?  Maybe just with
string syntax, more or less free-form contents chosen by the admin.

Our LDAP project is about to define an attribute for filter= and I've
seen others need it, but since its functionality is implementation-
specific it doesn't quite seem to belong in an organization's or LDAP
project's schema.  In particular if the organization has no other
private schema elements...

E.g. one could use things like

  access to filter=(OpenLDAPobjectAccess=invisible) by self write

or a few statements like

  access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
            attrs=userPassword
         by group=cn=localadm,cn=groups,dc=example,dc=com =xw
         by * auth

or

access to attrs=x,y,z by set="([foo] | [bar] | [baz])
& user/OpenLDAPobjectAccess
& this/OpenLDAPobjectAccess" write
(though a group memberOf attribute might be better in that case.)


Makes sense, although its "specification" may sound a bit too loose right now (I guess you intended it so...).

With respect to "memberOf", I have loose plans (if I'd ever have any time to spare...) to implement a "memberOf" overlay that maintains back-references (and referential integrity "a la" refint). Unless someone else wants to jump in...

Ciao, p.

--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497