[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6198) Authorization for extensions

Full_Name: Howard Chu
Version: HEAD/2.5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: hyc

The access control mechanism needs to be extended to control actions, not just
objects, to control who may use various LDAP Controls and Extended Operations.

  access to control=<oid> by <who>
  access to op=<operation or oid> by <who>

Perhaps the control= / op= specifier should be usable in combination with the
other <what> specifiers; I haven't thought too deeply about it. It only makes
sense in limited contexts, since various extensions may not even affect any
particular directory object.