[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Shell backend, modify method, ACL

To: Simon Spero <ses@tipper.oit.unc.edu>
Subject: Re: Shell backend, modify method, ACL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 21 Jun 2001 16:36:29 -0700
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <Pine.OSX.4.33.0106211435010.1085-100000@k-hole.ibiblio.org >
References: <5.1.0.14.0.20010620163204.02918b70@127.0.0.1>

At 12:02 PM 6/21/2001, Simon Spero wrote:
>On Wed, 20 Jun 2001, Kurt D. Zeilenga wrote:
>>
>> Yes, to properly evaluate ACLs, one needs a complete copy of
>> entry.
>
>In the general case this is true; however when access rules do not refer
>to a value in the object being operated on, the access check can be
>evaluated purely based on the operation being performed.
>
>This situation applies to a lot of extremely common cases

I note that target dependent ACLs are quite common.

I note this thread is in regards to back-shell, which
defers almost all access control decisions to shell modules.
Some would argue that, for this backend, all access control
decisions should be deferred to shell models.

Kurt

References:
- Re: Shell backend, modify method, ACL
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: SLAPD: Should access checks take place before filter matching?
Next by Date: Just committed backendsyncfreq code to devel
Index(es):
- Chronological
- Thread