[Date Prev][Date Next] [Chronological] [Thread] [Top]

Default attribute access?

To: openldap-devel@OpenLDAP.org
Subject: Default attribute access?
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 10 May 2006 20:01:53 +0200

I'd like a way to specify per-attribute "default access controls", so
that one can specify the attribute's default access together with the
attribute definition (or with the include statement for the schema
file), rather than all over the place in the access statements in the
various databases.  An access statement at the beginning can be too
early.  But too late and any implicit or explicit '*' for attrs will
override it.

Maybe layered ACLs, so that if an operation gets access to attribute
foo from an access statement which does not include an explicit "to
attrs=foo", then try the next layer of access controls and use the
intersection of the accesses from both layers as the actual access to
"foo".

So instead of
   access to attrs=userPassword ...
before anything like
   access to dn.subtree=whatever by * read
one could have it just one place - or none, if the default is built
into the userPassword definition as an extension.

Also a way to do the equivalent of ending the access list with this,
if that does not exist already:
   access to attrs=<operational attributes> by * +0
   access to * by * none
or
   access to attrs=<user attributes> by * none
   access to * by * read

Comments?  Am I missing something?

-- 
Hallvard

Prev by Date: Re: slapd lightweight dispatcher
Next by Date: Re: commit: ldap/servers/slapd slappasswd.c
Index(es):
- Chronological
- Thread