[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Test operations

To: Sébastien Bahloul <bahloul@linagora.com>
Subject: Re: Test operations
From: Howard Chu <hyc@symas.com>
Date: Fri, 19 Nov 2004 06:11:37 -0800
Cc: OpenLDAP Devel <openldap-devel@OpenLDAP.org>
In-reply-to: <419DD514.9020809@linagora.com>
References: <419DD514.9020809@linagora.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

I have the feeling it would be better to define a Test control that can be added to any operation. Since the LDAP protocol is extensible, defining things this way would mean you don't have to keep rewriting the Test specification every time something else in LDAP is extended. Also, since OpenLDAP (and other directory servers) provides ACL controls down to individual values of an attribute, the only way for a Test operation to be totally reliable is for it to exactly duplicate an actual LDAP operation

But I think the NoOp control can already satisfy this purpose.


Sébastien Bahloul wrote:

Hello,
One month ago, I asked the list about integrating a new ACL model (AACLs), which is currently in test phase, as an overlay.

Now I'm looking to write an extended operation based on the standard, ACI or AACLs access model to allow operations testing.

The first point is about the need of such extended operation : what's your feeling about that ? Mine is that it could be very interesting because of the security model which is already defined in the LDAP directory and could be reuse to avoid a specification of a different model in the applications. So administrators would have to maintain only one model which could be shared between severeals applications. (The need of a different model between the directory and the application could be satisfied by introducing a back-ldap instance between them with a different security model)

Second point is about the implementation. I think the operation needs three parameters : - the operation (authentication, compare, search, read, modify, modify RDN, add, delete) - the entry DN (in creation, the first thing is to get the entry's father DN) - a list of attributes or null (or the "entry" keyword) And it have to return one boolean parameter (is the access allowed or not ? for the write access on severels attributes, access would be allowed, if and only if all attributes could be written)
Third point : does this operation need to precised as a draft ?
Regards,
Sebastien.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

References:
- Test operations
  - From: Sébastien Bahloul <bahloul@linagora.com>

Prev by Date: Test operations
Next by Date: Re: Test operations
Index(es):
- Chronological
- Thread