[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: detecting rights

To: Timo Boettcher <timo@gerichhausen.de>
Subject: Re: detecting rights
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Wed, 19 Sep 2001 10:23:27 +0200
Cc: openldap-software@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <3BA84FAA.7194BF41@gerichhausen.de>

Timo Boettcher wrote:
> 
> Hi all!
> 
> Sorry for bugging again...
> 
> I'm using group based ACL's for access-control, implemeting different
> levels of access for different subtrees. Now I'd like detect whether a
> user has the right to read/write a to a specific entry because I won't
> display this possibillities on application-side to minimize
> user-confusion.
> Is there any possibility to do that without trying to read/write to an
> entry? I'm using ldap via php (I don't think that this matters, that
> should be ldap-related, not php-related. If I'm wrong with that, I'm
> sorry to post this Off-Topic but hope to get help anyhow).

If I get it right, you want to know if a user has access to a subtree
without performing a search on the subtree.  In other words you ask if
the server publishes its ACL.  I don't recall any means for a server
to publish ACLs (this would open security issues, I guess).  The ACL
mechanism is applied by the server to the data; it is implementation
dependent.  IMHO all you can do is let clients ask for data; protect
data
on the server side.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati

References:
- detecting rights
  - From: Timo Boettcher <timo@gerichhausen.de>

Prev by Date: detecting rights
Next by Date: OpenLDAP + PAM + SSL HOWTO
Index(es):
- Chronological
- Thread