[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: new function: ldap_access (ITS#2789)

I'd have to agree with Howard here.  I'm inclined to reject
this software request.


At 06:54 PM 10/22/2003, hyc@symas.com wrote:
>What you're requesting would require an extension of the LDAP protocol. Since
>there currently is no standard specification for how access control is
>performed in LDAP, you might need that spec to be hashed out first.
>Having thought very briefly about this, I would make this a Control that
>rides on an LDAP Search request. The control response would accompany every
>SearchResultEntry and contain a list of all the modifiable attributes in the
>SearchResultEntry. That should provide sufficient information without getting
>lost in the details of how access controls are implemented in a particular
>directory server.
>If your request is that we implement such a feature in OpenLDAP, I think the
>answer is "we can't until a standard spec exists for the feature."
>> -----Original Message-----
>> From: owner-openldap-bugs@OpenLDAP.org
>> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of ace@suares.nl
>> Full_Name: Ace SU-ares
>> Version: any
>> OS: noarch
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> Feature Request:
>> Determining what kind of access is granted can sometimes be
>> very convenient.
>> For instance, when retrieving an entry, some attributes might
>> be writable,
>> others readable.
>> One method of solving this would be an extention to
>> ldap_search; giving an extra
>> access-character (r,w, etc) to every attribute.
>> However, this could also be achieved with a seperate tool or
>> function, which I
>> propose calling 'ldap_access'.
>> ldap_access would give for each entry and each attribute the
>> acess level (r,w,
>> etc).
>> ldap_access would take many of the same arguments from ldap_search.
>> it should be just as easy to request the access level of a
>> single attribute as
>> well as many attributes of many entries. pseudo attributes 'entry' and
>> 'children' should also be accessible.
>> Proposed is to represent the output in LDIF format where the
>> values be replaced
>> by the access level.
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support