[Date Prev][Date Next] [Chronological] [Thread] [Top]

extended acl

To: <OpenLDAP-devel@OpenLDAP.org>
Subject: extended acl
From: "Ivan Leong" <ivanl@pacific.net.sg>
Date: Tue, 15 Jun 1999 11:18:03 +0800
Importance: Normal

i've a scenario has such:

i've users in the region of 200K to 500k.
their dn looks like:
      dn: mail=userid@domain.com

each of these users can create his own
private address book, which form records
from his subtree.
      dn: mail=friend1@fox.com, mail=user1@domain.com
      dn: mail=friend2@box.com, mail=user1@domain.com

(user1@domain.com has two persons: friend1@fox.com
 and friend2@box.com in his private addr book)

therefore all in all, i've up to 500K subtrees.

each user can only look/search/write to his record
and his records in his addr book subtree.

---------

now with umich ldap/openldap acl format, i need
nothing short of 500k acl entries.

on looking over netscape aci/acl format, they
have some kind of inheritance matching. the acl
for the addr book records is

  access to dn="mail=[^,]+,mail=[^,]+"
         by parent write
         by .*     none

of cos to protect the base 500k users, we've

  access to dn="^mail=[^,]+$"
         by self write
         by .*   none

---------

my question is, is anyone extending on openldap's
acl?

support a new keyword "parent" might do it.

comments? email.

Follow-Ups:
- Re: extended acl
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: superior keyword
Next by Date: Re: extended acl
Index(es):
- Chronological
- Thread