[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI developmental status

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: ACI developmental status
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 9 May 2005 22:37:34 +0200
Cc: tedkaz@optonline.net, openldap-software@OpenLDAP.org
In-reply-to: <3DAF51312C38F4FEBAF9068B@cadabra-dsl.stanford.edu>
References: <1115649906.19476.4.camel@inyoureyes.linsolutions.com> <3DAF51312C38F4FEBAF9068B@cadabra-dsl.stanford.edu>

Quanah Gibson-Mount writes:
> With OpenLDAP 2.3, it will be possible to replace all your *.conf
> files with the new back-config DB.  This will allow ACL's to be
> modified on the fly, and remove the need for ACI's at all.  ACL's are
> somewhat more powerful than ACI's, so I myself see little reason for
> them to even remain once OL 2.3 is released.

Our site needed ACIs when employees could choose to make their
entries or selected attributes in them visible to only some people.

Well, it would be possible to introduce a 'hide' attribute instead
and insert a bunch of statements like this in slapd.conf:
     access to filter=(hide=mail:foo) attrs=mail
            by <foo> none
            by * none break
but this is not exactly elegant, it scales poorly and it's also
easy to make a typo in the ACLs.

Do you have a better suggestion for such ACLs?

For that matter, what if you want to allow users write access to the
access controls for their own entries?

-- 
Hallvard

Follow-Ups:
- Re: ACI developmental status
  - From: Howard Chu <hyc@symas.com>
- Re: ACI developmental status
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- ACI developmental status
  - From: Ted Kaczmarek <tedkaz@optonline.net>
- Re: ACI developmental status
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: ACI developmental status
Next by Date: Re: ACI developmental status
Index(es):
- Chronological
- Thread