[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI permissions

To: Jim Sermersheim <JIMSE@novell.com>
Subject: Re: ldapACI permissions
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 22 Mar 2000 14:20:08 -0800
Cc: jayhawk@att.com, ietf-ldapext@netscape.com
In-reply-to: <s8d8aa9e.079@prv-mail20.provo.novell.com>
Resent-date: Wed, 22 Mar 2000 14:20:32 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <xv-DUD.A.B4B.ncU24@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 11:12 AM 3/22/00 -0700, Jim Sermersheim wrote:
>I think it would be very hard and not very useful to allow one to have 'a' or 'd' rights, and not 'w'. This is especially true when the identity with 'a' rights doesn't have 'w' rights to mandatory attributes. I think certain rights should imply other rights. Maybe a set of 'implication rules' is needed. Something like:
>

This is just food for thought:

Have used access levels ("write" => "read" => "search" => "compare") in OpenLDAP
for some time, I have only found a couple of cases (such as disallow search
of readable attribute) where discrete permissions would have been extermely
useful.  These cases were enough to convince me that we should add support
for such.

What our devel code now supports both, it can be viewed (simplification):
	"write" is "=wrsc"
	"read" is "=rsc"
	"search" is "=sc"
	"compare" is "=c"

where the "=" sign is used to flag indicate the value is a discrete set of
permissions.  If you wanted to grant "r" but not "sc", you'd say "=r".

Follow-Ups:
- Re: ldapACI permissions
  - From: Ellen Stokes <stokes@austin.ibm.com>

References:
- Re: ldapACI permissions
  - From: Jim Sermersheim <JIMSE@novell.com>

Prev by Date: 50k in 90 days!!
Next by Date: Re: ldapACI permissions
Index(es):
- Chronological
- Thread