Rein Tollevik wrote:
I have a fairly complicated ACL set which I need to optimize the evaluation of. To do this I need to make decisions based on the requested access level, which currently isn't possible (as far as I know that is). E.g, most of my ACLs are concerned with whether the entries and attributes should be read or writable or not, and I would like to quickly grant search access when that is all that is requested. One possibility I have considered is to add a new optional<requested access> field between the existing<who> and the<access> clauses, but I'm not very happy with that solution as it could easily be mixed with the existing<access>.
For what it's worth, HP had a similar requirement. We showed them how to write a dynacl module to intercept regular ACL processing and do what they needed. It seems to me that you should be able to at least prototype using dynacl first, to gain some experience with the real effects of these controls, before progressing further in the core code.
So far my preferred solution is to add two new ACL controls, which I currently think of as "sufficient" and "requested".
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/