[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control based on attribute of binded user ?



Mads Freek wrote:
> 
> Is there a way to express an access control based on an attribute value of
> the binded user in OpenLDAP?
> 
> I would like to do the equvivalent of:
> 
> Access to <what> by dn="cn=(.*),dc=ruc,dc=dk" filter=(userType=Student) read
> 
> Ie use a filter in the who part as it is possible in the what part.

No. 

The best you can do is to put students in a separate 
subtree and use a <who> like

	by dn="[^,]+,ou=Students,ou=People,..."

or use the attribute in the dn, say

	by dn="[^,]+\+userType=Student,ou=People,..."

where your dns are made up of, say,

dn: cn=<name>+userType=<type>,ou=People,...

I was thinking about something like that for ACLs, though.
However, it looks like evaluating this sort of ACLs would 
be costly in terms of time. In this case, as well as in
case of other costly acl evaluations, maybe we might 
think of implementing a per-operation cache of these
evaluations. In this case, evaluations involving the
<who> part may be cached for all the entries that are 
returned by a search.

Pierangelo.

-- 
Dr. Pierangelo Masarati    mailto:ando@sys-net.it
Developer, SysNet s.n.c.   http://www.sys-net.it