[Date Prev][Date Next]
Re: (ITS#6198) Authorization for extensions
Michael Ströder wrote:
> hyc@OpenLDAP.org wrote:
>> Full_Name: Howard Chu
>> Version: HEAD/2.5
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (220.127.116.11)
>> Submitted by: hyc
>> The access control mechanism needs to be extended to control actions, not just
>> objects, to control who may use various LDAP Controls and Extended Operations.
>> access to control=<oid> by<who>
>> access to op=<operation or oid> by<who>
> What is "operation" supposed to be? I'd prefer only to allow "oid" since
> OIDs are the only identifiers clearly specified in RFCs and I-Ds.
Ugh, no. There's no way any sysadmin is going to remember what each OID means.
Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, etc.
Don't make the same mistake the original LDAP implementers did - numeric OIDs
are for machine consumption only; they should always be mapped to mnemonic
names for use by humans. (Technically they should be mapped to *localized*
names; obviously the names were not intended to be part of the protocol
specification. This is another glaring flaw in the LDAP specifications...)
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/