[Date Prev][Date Next]
(ITS#6198) Authorization for extensions
Full_Name: Howard Chu
Submission from: (NULL) (220.127.116.11)
Submitted by: hyc
The access control mechanism needs to be extended to control actions, not just
objects, to control who may use various LDAP Controls and Extended Operations.
access to control=<oid> by <who>
access to op=<operation or oid> by <who>
Perhaps the control= / op= specifier should be usable in combination with the
other <what> specifiers; I haven't thought too deeply about it. It only makes
sense in limited contexts, since various extensions may not even affect any
particular directory object.