Re: ACI?

[Pierangelo Masarati <ando@sys-net.it>]

Hallvard B Furuseth wrote:

> Pierangelo Masarati writes:
>  
>
> > Ted Kaczmarek wrote:
> >    
> >
> > > Is openldap with aci enabled still considered development?
> > >      
> > (...) In 2.3, some effort is being put in determining if they
> > suffer from deadlocking, and apparently they don't; I cannot say the
> > same for erlier releases because no such testing has been done
> > consistently, AFAIK.
> >    
>
> I thought that was 'access ... by set='.  It's 'by aci' too?
>  
ACI is enabled at compile by defining --enable-aci; then, to enable it, 
you need to add

access ...
   by aci[=<aciAttributeDescription>]  <access>

where <aciAttributeDescription> is the attribute that contains the rules 
and <access> are the privileges that the rules are allowed to change; if 
you want to allow changing all privileges you need to use "write"; 
otherwise, the resulting mask of privileges changed by ACIs is &-ed with 
the privileges defined by <access>.

ACIs have very little (if any) to do with sets.

Note that in 2.3 ACI support has been moved under the umbrella of 
"dynacl", which is a frmework for pluggable access controls; the syntax 
in this case is

access ...
   by dynacl/<type>[.<style>][=pattern] <access>

if <type> is "aci", then the regular ACIs are used (I haven't isolated 
their code enough to allow their loading run-time, so they're still 
static).  Of course, the old yntax is recognized.  This is (almost) 
totally undocumented, except the ACI entry in the FAQ 
<http://www.openldap.org/faq/data/cache/634.html>, because it's 
__really__ experimental.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497