[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: child modification



> Off topic: one drawback to your approach is that you have to rely
> on rootdn to deal with orphaned entries (entries with an invalid manager
> or no manager).

Yes.  But I don't see it as a real problem : before copying the data
from the ldap server to the qmail database, I do a semantic check of the
contents of the directory (valid email adresses, no duplicates, etc.)
so it's easy to check for and report illegal manager entries.


> Before making "entry" ACLs a configurable option, I like to:
> 	1) review other options
> 	2) look at ways of integrating "entry" ACLs which protect
>          against misconfiguration
> 
> Here's one slight varient which might work out okay:
> 
>  add:
> 	require write to parent's "children"
> 
>  modrdn/delete:
> 	require write to parent's "children"
> 	AND, if entry acls enabled, write to entry's "entry".
> 
>  rename:
> 	require write to old and new parent's "children"
> 	AND, if entry acls enabled, write to entry's "entry".

This would work for me, and I believe it's a reasonable design.


Now that I think about it, I have something else to propose, which may
or may not have been discussed before on this list but I'm fairly new to
all this :

When I read the docs for the Netscape Directory server, I found an "add"
and a "delete" right in the access list.

I was quite surprised when I came to OpenLDAP to find no similar
concept, and I had to dig into the source to find out how "add" was
handled.

How difficult would it be to add such an access right ? Wouldn't it be a
cleaner way of dealing with all this ? Of course I may not be aware of
all the issues, maybe it's not flexible enough.

Also, is the strict ordering write > read > search > ... necessary ?
Couldn't we refine the rights in a non-strict ordering fashion, say :
    add
    delete
    write (= modify only)
    read
    search
    compare
    selfwrite
maybe others I forget.

Or is all this mandated by the LDAP specs ?


While I'm on the topic, for those who know the code, how difficult would
it be to add netscape-like ACLs directly into the entries (the aci:
attribute) ?
http://devedge.netscape.com/docs/manuals/directory/dir40/ag/acl.htm
was very interesting to read.