[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3625) [enhancement] per-operation ACLs

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

Every now and then people look for a means to allow adding an entry rather than
deleting it or modifying it and so on.  I think this could be easily obtained
with a quite limited effort by adding an operation mask to the <what> clause,
something like

access to * op=add,delete
    by ...

so that only operations within the mask do match the <what>.  The mask could
also be negated, like 

access to * op!=modify
    by ...

and we could use groups like "read,write,auth".  This should be tested before
anything else, since it's basically a bitwise AND, so it could save a lot of
effort by working out all the ACLs that are not intended for a specific
operation.  I think this goes in the direction of something that Hallvard asked
shotly ago.

I'll prepare a prototype in a moment.