[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI syntax



At 02:15 PM 6/7/00 -0400, Mark Valence wrote:
>I'll be updating the ACI syntax soon, and I need comments on what the 
>OpenLDAPaci syntax should look like.  I propose that we use a syntax 
>similar to the latest LDAPaci syntax, which is a bit cleaner than 
>what's implemented right now.

I'd like to divorce the two syntaxes as much as possible to avoid
confusion.  LDAPaci is moving target, it will change.  I rather
avoid having to explain subtle why subtle syntax differences
have significantly differences in semantics.

Examples below are for discuss purposes (and food for thought).

For example, I'd like to support dn=<regex> in ACIs... but
also support dn/{base,one,sub,children}=<DN> syntax like what
we discussed for ACLs.  LDAPaci don't support regexs, but
OpenLDAPaci's should.

Also, I'd also like to have ACLs like:
	access to objectclass=UserModifiable
		by self write

where the ACL would apply to all allowed attributes of the
UserModifiable object class. Basically a "collection" in LDAPaci
terms.  But LDAPaci collections are not object class driven.
So I rather not use the LDAPaci syntax for this.  [Note the
entry may not actually be a UserModifiable object... this
is not equiv to filter=(objectClass=UserModifiable)]

>One difference might be to use keywords (in the "subject" field) that 
>match the keywords that are used for OpenLDAP ACLs.  I'm thinking 
>about the "ipAddress" keyword that LDAPaci uses -- we might prefer 
>using "sockurl", which implies that this is a URL, not merely an IP 
>address (doesn't everybody use DHCP now anyway? ;-)

URL's, please... with regex support.

>We'd also add a "dnattr" keyword, which is actually implemented now, 
>and any other of the ACL subject ("who") categories that are useful. 
>I'd also keep "this" and "public" from the LDAPaci spec.
>
>I'd also like to extend the attribute field so that it can do value 
>matches, like are implemented now.