[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: new function: ldap_access (ITS#2789)

To: openldap-its@OpenLDAP.org
Subject: RE: new function: ldap_access (ITS#2789)
From: hyc@symas.com
Date: Thu, 23 Oct 2003 01:54:31 GMT

What you're requesting would require an extension of the LDAP protocol. Since
there currently is no standard specification for how access control is
performed in LDAP, you might need that spec to be hashed out first.

Having thought very briefly about this, I would make this a Control that
rides on an LDAP Search request. The control response would accompany every
SearchResultEntry and contain a list of all the modifiable attributes in the
SearchResultEntry. That should provide sufficient information without getting
lost in the details of how access controls are implemented in a particular
directory server.

If your request is that we implement such a feature in OpenLDAP, I think the
answer is "we can't until a standard spec exists for the feature."

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of ace@suares.nl

> Full_Name: Ace SU-ares
> Version: any
> OS: noarch
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (216.152.170.243)
>
>
> Feature Request:
>
> Determining what kind of access is granted can sometimes be
> very convenient.
>
> For instance, when retrieving an entry, some attributes might
> be writable,
> others readable.
>
> One method of solving this would be an extention to
> ldap_search; giving an extra
> access-character (r,w, etc) to every attribute.
>
> However, this could also be achieved with a seperate tool or
> function, which I
> propose calling 'ldap_access'.
>
> ldap_access would give for each entry and each attribute the
> acess level (r,w,
> etc).
>
> ldap_access would take many of the same arguments from ldap_search.
>
> it should be just as easy to request the access level of a
> single attribute as
> well as many attributes of many entries. pseudo attributes 'entry' and
> 'children' should also be accessible.
>
> Proposed is to represent the output in LDIF format where the
> values be replaced
> by the access level.
>

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Prev by Date: Re: group.regex doesn't do regex (ITS#2788)
Next by Date: RE: new function: ldap_access (ITS#2789)
Index(es):
- Chronological
- Thread