Re: attribute for 'access to filter=...'

[Pierangelo Masarati <ando@sys-net.it>]

Hallvard B Furuseth wrote:

> I wonder if OpenLDAP should define an operational attribute intended
> to be used for 'filter=' and 'set=' access controls?  Maybe just with
> string syntax, more or less free-form contents chosen by the admin.
>
> Our LDAP project is about to define an attribute for filter= and I've
> seen others need it, but since its functionality is implementation-
> specific it doesn't quite seem to belong in an organization's or LDAP
> project's schema.  In particular if the organization has no other
> private schema elements...
>
> E.g. one could use things like
>
>   access to filter=(OpenLDAPobjectAccess=invisible) by self write
>
> or a few statements like
>
>   access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
>             attrs=userPassword
>          by group=cn=localadm,cn=groups,dc=example,dc=com =xw
>          by * auth
>
> or
>
>  access to attrs=x,y,z by set="([foo] | [bar] | [baz])
> 		                & user/OpenLDAPobjectAccess
> 		                & this/OpenLDAPobjectAccess" write
>  (though a group memberOf attribute might be better in that case.)
>  
Makes sense, although its "specification" may sound a bit too loose 
right now (I guess you intended it so...).

With respect to "memberOf", I have loose plans (if I'd ever have any 
time to spare...) to implement a "memberOf" overlay that maintains 
back-references (and referential integrity "a la" refint).  Unless 
someone else wants to jump in...

Ciao, p.

--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497