[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACI?
Hallvard B Furuseth wrote:
Pierangelo Masarati writes:
Ted Kaczmarek wrote:
Is openldap with aci enabled still considered development?
(...) In 2.3, some effort is being put in determining if they
suffer from deadlocking, and apparently they don't; I cannot say the
same for erlier releases because no such testing has been done
consistently, AFAIK.
I thought that was 'access ... by set='. It's 'by aci' too?
ACI is enabled at compile by defining --enable-aci; then, to enable it,
you need to add
access ...
by aci[=<aciAttributeDescription>] <access>
where <aciAttributeDescription> is the attribute that contains the rules
and <access> are the privileges that the rules are allowed to change; if
you want to allow changing all privileges you need to use "write";
otherwise, the resulting mask of privileges changed by ACIs is &-ed with
the privileges defined by <access>.
ACIs have very little (if any) to do with sets.
Note that in 2.3 ACI support has been moved under the umbrella of
"dynacl", which is a frmework for pluggable access controls; the syntax
in this case is
access ...
by dynacl/<type>[.<style>][=pattern] <access>
if <type> is "aci", then the regular ACIs are used (I haven't isolated
their code enough to allow their loading run-time, so they're still
static). Of course, the old yntax is recognized. This is (almost)
totally undocumented, except the ACI entry in the FAQ
<http://www.openldap.org/faq/data/cache/634.html>, because it's
__really__ experimental.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
- References:
- ACI?
- From: Ted Kaczmarek <tedkaz@optonline.net>
- Re: ACI?
- From: Pierangelo Masarati <ando@sys-net.it>
- Re: ACI?
- From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>