[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3625) [enhancement] per-operation ACLs



what out for manage (m) and disclose (d) permissions.

At 01:10 PM 4/1/2005, Kurt@OpenLDAP.org wrote:
>At 12:52 PM 4/1/2005, ando@sys-net.it wrote:
>>Kurt D. Zeilenga wrote:
>>
>>>What about modify operations which add entries, or
>>>add operations that modify existing entries, or
>>>delete operations that do searches, or searches
>>>that do deletes?
>>>
>>>Is it the LDAP op code that matters here? or the
>>>underlying DIT operation?  I think the latter.
>>>  
>>>
>>Are you thinking about internal operations, as those performed by 
>>syncrepl or things like that?
>
>I'm thinking about operations extended by controls,
>overlay/SLAPI games, etc..
>
>>I understand your point, and in fact I'd 
>>try to use the op code related to the operation requested by the client 
>>(which is not what the code is doing right now) instead of that of the 
>>current operation.  However, it is my understanding that whenever an 
>>operation is doing something radically different (e.g., a search deletes 
>>an entry) it is likely to be performed with some administrative 
>>privileges (e.g. rootdn or so).
>>
>>>Maybe it would make more sense to divide "w"
>>>into different kinds of writes?
>>>  
>>>
>>Something like
>>
>>>  permission = "a" / ; add
>>>               "d" / ; delete
>>>               "e" / ; export
>>>               "i" / ; import
>>>               "n" / ; renameDN
>>>               "b" / ; browseDN
>>>               "t" / ; returnDN
>>>               "r" / ; read
>>>               "s" / ; search
>>>               "w" / ; write (mod-add)
>>>               "o" / ; obliterate (mod-del)
>>>               "c" / ; compare
>>>               "m" / ; make
>>
>>p.
>>
>>
>>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497