[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Granting rights based on relationships

This sounds pretty complicated to evaluate. It also sounds like we need to
cache a copy of the currently bound user's entry with the connection, as I
suggested before for atattr support. I'll look into committing that change
soon. It also seems to me, that the suggestion of caching already-evaluated
ACLs makes sense to do here. The list of evaluated ACLs probably should go
on the connection handle itself, but I was first thinking of adding it to
the cached user entry. Sticking them directly on the connection might be
easier, otherwise we have to implement that virtual entry concept to take
advantage of this trick for bind DNs that don't have corresponding entries
in the slapd database.

If by complicated you mean time consuming, yes it can be. But it's going to be no matter what, if this is functionality that you want to use (and putting aside the caching mechanisms you suggest).

It is not complicated code, and the syntax is very simple. I'll work on a syntax definition and send it off later (time to make dinner now).