[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Granting rights based on relationships

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: Granting rights based on relationships
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 07 Jun 2000 14:28:45 -0700
Cc: "Mark Valence" <kurash@sassafras.com>, <openldap-devel@OpenLDAP.org>
In-reply-to: <003f01bfd0c3$df72b520$0c01a8c0@fiddle.symas.com>
References: <v0422080fb5645b82be44@[192.168.0.8]>

At 02:03 PM 6/7/00 -0700, Howard Chu wrote:
>This sounds pretty complicated to evaluate. It also sounds like we need to
>cache a copy of the currently bound user's entry with the connection, as I
>suggested before for atattr support.

We might cache information derived the user's entry with the connection,
but not the entry itself.

>It also seems to me, that the suggestion of caching already-evaluated
>ACLs makes sense to do here.

This gets messy and likely of limited value.  First, ACL by clause
dn=<regex> is based upon what the "to dn=<regex>" is and allows
for subsitution.  Second, you have to preserve order of all ACLs.

And also note that current evaluatation is "to X by Y" not
"by Y to X"... 

>The list of evaluated ACLs probably should go
>on the connection handle itself,

>, but I was first thinking of adding it to
>the cached user entry. Sticking them directly on the connection might be
>easier, otherwise we have to implement that virtual entry concept to take
>advantage of this trick for bind DNs that don't have corresponding entries
>in the slapd database.

Most backend don't have entry caching... mucking with the
entry cache is not an option and mucking with the entry
itself makes little sense.

References:
- Re: Granting rights based on relationships
  - From: Mark Valence <kurash@sassafras.com>
- RE: Granting rights based on relationships
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Granting rights based on relationships
Next by Date: RE: Granting rights based on relationships
Index(es):
- Chronological
- Thread