[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACI/ACL based on entry attribute values

To: OpenLDAP-software@OpenLDAP.org
Subject: ACI/ACL based on entry attribute values
From: Ugen <ugen@xonix.com>
Date: Thu, 19 Dec 2002 12:14:18 -0500
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016

So here is a situation: there is an LDAP database in which the tree
structure is not known ahead of time and will be dynamic. Effective
access control should be provided based on relative location of entries
in an LDAP tree (and potentially other factors).

Basically, what i am trying to accomplish is - if an entry has an attribute
X set to value "Val" (objectClass: CoolGuy), it will have access rights
(as defined by some "magic" ACL) to any entry in it's subtree.

It seems that when defining "what" in ACL, a subtree modifier is only
available to a specified DN, not to "self", correct? (If yes - why?)

In a more general case it would be convenient to match the accessed entry values (<what>) with authenticaed entry values (<who>). For example if "streetName" is X and "objectClass" is "Owner" , grant access to all entries where "streetName" is X regardless of location.

This sort of matching can be accomplished in ACLs (and ACI i guess) if regexps used to match DN (and potentially filters for other attributes) had variable substitution with variables based on regexps matched on the authenticated entry.

Anything like it exists/in work/of interest? Comments?
--Ugen

Follow-Ups:
- Re: ACI/ACL based on entry attribute values
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: RE: SUMMARY: Follow up: 2.1.5, solaris 8, fails to start
Next by Date: RE: Replication
Index(es):
- Chronological
- Thread