[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control based on attribute of binded user ?
Mads Freek wrote:
>
> Is there a way to express an access control based on an attribute value of
> the binded user in OpenLDAP?
>
> I would like to do the equvivalent of:
>
> Access to <what> by dn="cn=(.*),dc=ruc,dc=dk" filter=(userType=Student) read
>
> Ie use a filter in the who part as it is possible in the what part.
No.
The best you can do is to put students in a separate
subtree and use a <who> like
by dn="[^,]+,ou=Students,ou=People,..."
or use the attribute in the dn, say
by dn="[^,]+\+userType=Student,ou=People,..."
where your dns are made up of, say,
dn: cn=<name>+userType=<type>,ou=People,...
I was thinking about something like that for ACLs, though.
However, it looks like evaluating this sort of ACLs would
be costly in terms of time. In this case, as well as in
case of other costly acl evaluations, maybe we might
think of implementing a per-operation cache of these
evaluations. In this case, evaluations involving the
<who> part may be cached for all the entries that are
returned by a search.
Pierangelo.
--
Dr. Pierangelo Masarati mailto:ando@sys-net.it
Developer, SysNet s.n.c. http://www.sys-net.it