Re: attribute for 'access to filter=...'

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:04 AM 4/16/2005, Hallvard B Furuseth wrote:
>I wonder if OpenLDAP should define an operational attribute intended
>to be used for 'filter=' and 'set=' access controls?  Maybe just with
>string syntax, more or less free-form contents chosen by the admin.

What's the operational semantics of the attribute?

>Our LDAP project is about to define an attribute for filter= and I've
>seen others need it, but since its functionality is implementation-
>specific it doesn't quite seem to belong in an organization's or LDAP
>project's schema.

Though specification of ACLs are certainly implementation
specific, this attribute doesn't appear to be implementation
specific itself.

>In particular if the organization has no other
>private schema elements...
>
>E.g. one could use things like
>
>   access to filter=(OpenLDAPobjectAccess=invisible) by self write
>
>or a few statements like
>
>   access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
>             attrs=userPassword
>          by group=cn=localadm,cn=groups,dc=example,dc=com =xw
>          by * auth
>
>or
>
>  access to attrs=x,y,z by set="([foo] | [bar] | [baz])
>                                & user/OpenLDAPobjectAccess
>                                & this/OpenLDAPobjectAccess" write
>  (though a group memberOf attribute might be better in that case.)
>
>-- 
>Hallvard