[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3625) [enhancement] per-operation ACLs

Kurt D. Zeilenga wrote:

>What about modify operations which add entries, or
>add operations that modify existing entries, or
>delete operations that do searches, or searches
>that do deletes?
>Is it the LDAP op code that matters here? or the
>underlying DIT operation?  I think the latter.
Are you thinking about internal operations, as those performed by 
syncrepl or things like that?  I understand your point, and in fact I'd 
try to use the op code related to the operation requested by the client 
(which is not what the code is doing right now) instead of that of the 
current operation.  However, it is my understanding that whenever an 
operation is doing something radically different (e.g., a search deletes 
an entry) it is likely to be performed with some administrative 
privileges (e.g. rootdn or so).

>Maybe it would make more sense to divide "w"
>into different kinds of writes?
Something like

>  permission = "a" / ; add
>               "d" / ; delete
>               "e" / ; export
>               "i" / ; import
>               "n" / ; renameDN
>               "b" / ; browseDN
>               "t" / ; returnDN
>               "r" / ; read
>               "s" / ; search
>               "w" / ; write (mod-add)
>               "o" / ; obliterate (mod-del)
>               "c" / ; compare
>               "m" / ; make


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497