[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI?



Hallvard B Furuseth wrote:

Pierangelo Masarati writes:


Ted Kaczmarek wrote:


Is openldap with aci enabled still considered development?


(...) In 2.3, some effort is being put in determining if they
suffer from deadlocking, and apparently they don't; I cannot say the
same for erlier releases because no such testing has been done
consistently, AFAIK.



I thought that was 'access ... by set='. It's 'by aci' too?


ACI is enabled at compile by defining --enable-aci; then, to enable it, you need to add

access ...
   by aci[=<aciAttributeDescription>]  <access>

where <aciAttributeDescription> is the attribute that contains the rules and <access> are the privileges that the rules are allowed to change; if you want to allow changing all privileges you need to use "write"; otherwise, the resulting mask of privileges changed by ACIs is &-ed with the privileges defined by <access>.

ACIs have very little (if any) to do with sets.

Note that in 2.3 ACI support has been moved under the umbrella of "dynacl", which is a frmework for pluggable access controls; the syntax in this case is

access ...
   by dynacl/<type>[.<style>][=pattern] <access>

if <type> is "aci", then the regular ACIs are used (I haven't isolated their code enough to allow their loading run-time, so they're still static). Of course, the old yntax is recognized. This is (almost) totally undocumented, except the ACI entry in the FAQ <http://www.openldap.org/faq/data/cache/634.html>, because it's __really__ experimental.

p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497