[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Granting rights based on relationships

At 02:03 PM 6/7/00 -0700, Howard Chu wrote:
>This sounds pretty complicated to evaluate. It also sounds like we need to
>cache a copy of the currently bound user's entry with the connection, as I
>suggested before for atattr support.

We might cache information derived the user's entry with the connection,
but not the entry itself.

>It also seems to me, that the suggestion of caching already-evaluated
>ACLs makes sense to do here.

This gets messy and likely of limited value.  First, ACL by clause
dn=<regex> is based upon what the "to dn=<regex>" is and allows
for subsitution.  Second, you have to preserve order of all ACLs.

And also note that current evaluatation is "to X by Y" not
"by Y to X"... 

>The list of evaluated ACLs probably should go
>on the connection handle itself,

>, but I was first thinking of adding it to
>the cached user entry. Sticking them directly on the connection might be
>easier, otherwise we have to implement that virtual entry concept to take
>advantage of this trick for bind DNs that don't have corresponding entries
>in the slapd database.

Most backend don't have entry caching... mucking with the
entry cache is not an option and mucking with the entry
itself makes little sense.