Re: application defined permission

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:52 PM 3/9/01 +0100, Rob Byrne wrote:
>My own feeling is still that it would be better to leave application
>stuff out of the core model.

I concur.  The ACL model should be simple.  This would add
unnecessary complexity to the specification and implementations.

>In terms of your proposal...I like the tagged oid approach.  I think it
>would be better if you did not mention the xep stuff at all--let's leave
>that for the next guy who will struggle with the extended operational
>permissions....if that ever happens.
>
>Point taken on the overloading effects of the interpretation approach. 
>Though by just using searchish permissions (read, search,
>browseDN,returnDN), the effect of this could be minimised ie. at least
>the users could not change anything.

In OpenLDAP, our approach is to use permissions governing core
LDAP operations to govern extended operations.

For example, when LDAP Modify Password Extended Operation is
configured to update a directory attribute, we require "write"
permissions on that attribute.

If our implementation of StartTLS were dependent on read of
directory attribute (such as one holding a certificate), we'd
require "read" on that attribute.

We also use "psuedo" attributes (which don't actually exist)
to govern access to information not held in any attributes.

We also govern operations extended by control in a like manner.
For example, we require no special permission to use ManageDsaIt,
but we do require "read" access to the attributes returned due to
presence of the control.

That is, we have "operational experience" which shows that
"extended operation permissions" may not be necessary and can
be left out for now.