[Date Prev][Date Next]
Re: (ITS#3625) [enhancement] per-operation ACLs
what out for manage (m) and disclose (d) permissions.
At 01:10 PM 4/1/2005, Kurt@OpenLDAP.org wrote:
>At 12:52 PM 4/1/2005, firstname.lastname@example.org wrote:
>>Kurt D. Zeilenga wrote:
>>>What about modify operations which add entries, or
>>>add operations that modify existing entries, or
>>>delete operations that do searches, or searches
>>>that do deletes?
>>>Is it the LDAP op code that matters here? or the
>>>underlying DIT operation? I think the latter.
>>Are you thinking about internal operations, as those performed by
>>syncrepl or things like that?
>I'm thinking about operations extended by controls,
>overlay/SLAPI games, etc..
>>I understand your point, and in fact I'd
>>try to use the op code related to the operation requested by the client
>>(which is not what the code is doing right now) instead of that of the
>>current operation. However, it is my understanding that whenever an
>>operation is doing something radically different (e.g., a search deletes
>>an entry) it is likely to be performed with some administrative
>>privileges (e.g. rootdn or so).
>>>Maybe it would make more sense to divide "w"
>>>into different kinds of writes?
>>> permission = "a" / ; add
>>> "d" / ; delete
>>> "e" / ; export
>>> "i" / ; import
>>> "n" / ; renameDN
>>> "b" / ; browseDN
>>> "t" / ; returnDN
>>> "r" / ; read
>>> "s" / ; search
>>> "w" / ; write (mod-add)
>>> "o" / ; obliterate (mod-del)
>>> "c" / ; compare
>>> "m" / ; make
>> SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497