[Date Prev][Date Next]
RE: Granting rights based on relationships
At 02:03 PM 6/7/00 -0700, Howard Chu wrote:
>This sounds pretty complicated to evaluate. It also sounds like we need to
>cache a copy of the currently bound user's entry with the connection, as I
>suggested before for atattr support.
We might cache information derived the user's entry with the connection,
but not the entry itself.
>It also seems to me, that the suggestion of caching already-evaluated
>ACLs makes sense to do here.
This gets messy and likely of limited value. First, ACL by clause
dn=<regex> is based upon what the "to dn=<regex>" is and allows
for subsitution. Second, you have to preserve order of all ACLs.
And also note that current evaluatation is "to X by Y" not
"by Y to X"...
>The list of evaluated ACLs probably should go
>on the connection handle itself,
>, but I was first thinking of adding it to
>the cached user entry. Sticking them directly on the connection might be
>easier, otherwise we have to implement that virtual entry concept to take
>advantage of this trick for bind DNs that don't have corresponding entries
>in the slapd database.
Most backend don't have entry caching... mucking with the
entry cache is not an option and mucking with the entry
itself makes little sense.