[Date Prev][Date Next]
Re: (ITS#3625) [enhancement] per-operation ACLs
Kurt D. Zeilenga wrote:
>What about modify operations which add entries, or
>add operations that modify existing entries, or
>delete operations that do searches, or searches
>that do deletes?
>Is it the LDAP op code that matters here? or the
>underlying DIT operation? I think the latter.
Are you thinking about internal operations, as those performed by
syncrepl or things like that? I understand your point, and in fact I'd
try to use the op code related to the operation requested by the client
(which is not what the code is doing right now) instead of that of the
current operation. However, it is my understanding that whenever an
operation is doing something radically different (e.g., a search deletes
an entry) it is likely to be performed with some administrative
privileges (e.g. rootdn or so).
>Maybe it would make more sense to divide "w"
>into different kinds of writes?
> permission = "a" / ; add
> "d" / ; delete
> "e" / ; export
> "i" / ; import
> "n" / ; renameDN
> "b" / ; browseDN
> "t" / ; returnDN
> "r" / ; read
> "s" / ; search
> "w" / ; write (mod-add)
> "o" / ; obliterate (mod-del)
> "c" / ; compare
> "m" / ; make
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497