[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI/ACL based on entry attribute values



> So here is a situation: there is an LDAP database in which the tree
> structure is not known ahead of time and will be dynamic. Effective
> access control should be provided based on relative location of entries
> in an LDAP tree (and potentially other factors).
>
>  Basically, what i am trying to accomplish is - if an entry has an
> attribute
> X set to value "Val" (objectClass: CoolGuy), it will have access rights
> (as defined by some "magic" ACL) to any entry in it's subtree.
>
> It seems that when defining "what" in ACL, a subtree modifier is only
> available to a specified DN, not to "self", correct? (If yes - why?)
>
>  In a more general case it would be convenient to match the accessed
> entry
> values (<what>) with authenticaed entry values (<who>). For example if
> "streetName" is X and "objectClass" is "Owner" , grant access to all
> entries
> where "streetName" is X regardless of location.
>
> This sort of matching can be accomplished in ACLs (and ACI i guess) if
> regexps
> used to match DN (and potentially filters for other attributes) had
> variable substitution
>  with variables based on regexps matched on the authenticated entry.

You might want to have a look at "sets" (browse the FAQ)

>
> Anything like it exists/in work/of interest? Comments?

If you can come out with a specification a little more
consistent than the examples you gave above, it might
be of interest, provided it does not intersect too much
with acl sets, don't want to reinvent the wheel.

Pierangelo.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it