[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Format of ACL (feature request)
- To: openldap-software@OpenLDAP.org
- Subject: Format of ACL (feature request)
- From: Ace Suares <ace@suares.nl>
- Date: Thu, 16 Oct 2003 18:12:11 -0400
- Content-disposition: inline
- Organization: Ace Suares' Internet Consultancy
- User-agent: KMail/1.5.1
Hi,
Just a loose thought or two
It seems the format of ther ACL's is rather restrictive. As far as I noticed,
the follwing stuff happens:
EXAMPLE 1:
access to *
by * none
ERROR 1:
/etc/ldap/qwidoACL/qwido.acl.global: line 300: warning: no by clause(s)
specified in access line
/etc/ldap/qwidoACL/qwido.acl.global: line 301: unknown directive "by" outside
backend info and database definitions (ignored)
EXAMPLE 2
access to *
# comment
[tab]by * none
ERROR 2:
/etc/ldap/qwidoACL/qwido.acl.global: line 300: warning: no by clause(s)
specified in access lines
EXAMPLE 3
[tab]access to *
[tab][tab]by * none
ERROR 3:
No error message, but the entire ACL is ignored.
These examples show that it becomes really difficult to indent the ACL's in
such a way that they are better readable, or insert comments between ACL's
for clarity.
Could these restrictions be loosened, so that at least comment lines are just
ignored (and not translated to 'empty' lines), and that identation might be
less of a problem ?
Another feature that could make ACL's more simple to maintain, would be the
define of some constants at the top of the ACL file. It would be really handy
to, for example, specify:
PEOPLETREE: ou=people,dc=example,dc=com
ADMIN: cn=admin,$PEOPLETREE$
at the top of the file and later use it like this:
access to $PEOPLETREE$
by $MANAGER$ write
by users read
by anonymous auth
by * none
What do you think ?
_Ace
--
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl