[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL of external objects

To: "openldap-general@OpenLDAP.org" <openldap-general@OpenLDAP.org>
Subject: ACL of external objects
From: "Karel Zajicek" <karel.zajicek@ecn.cz>
Date: Mon, 03 Jan 2000 18:28:38 +0100 (CET)

Hello,

I'm considering to use LDAP as a storehouse for access control information to different objects 
(e.g. files, database fields, printers, doors, etc ... whatever you imagine). I started with this 
object class:

objectclass myACL
        requires
                objectClass
        allows
                myObjectType,
                myObjectID,
                myAci

Here is a "real" example that explains the attributes:

dn: myObjectID=HP4000LJ1,ou=ACL,dc=ecn,dc=cz
objectclass: top
objectclass: myACL
myObjectType: printer
myObjectID: HP4000LJ1
myACI: uid=user1,ou=People,dc=ecn,dc=cz:P
myACI: uid=admin,ou=People,dc=ecn,dc=cz:AP
myACI: cn=Staff,dc=ecn,dc=cz:P

The user1 and all Staff members can print, the admin can print and also administer the printer. 
The possible permissions (P,A,...) will be dependant on the object type and will be specific for 
concrete applications.

I would like to know, if there is any previous attempt to define such schema. Or if you think this 
design is completelly pointless, I would welcome to hear why ;-).

I see the basic problem in complicated parsing of the results. E.g. the query

>ldapsearch "(&(objectclass=myACL)(myObjectID=HP4000LJ1)(myACI=*user1*))" myACI

returns all the three appearances of the myACI attribute above, not just the only useful first one.

Regards,

Karel Zajicek (karel.zajicek@ecn.cz)
Econnect, Ceskomalinska 23, 160 00 Praha 6, Czech Republic
Tel.: +420-2-24311780, Fax: +420-2-24317892, http://www.ecn.cz
PGP Key: http://www.ecn.cz/karel/pgp.html

Next by Date: Can access be granted to an entry reached via a referral?
Index(es):
- Chronological
- Thread