[Date Prev][Date Next] [Chronological] [Thread] [Top]

Subtree ACIs


I have recently been looking at the in-directory ACI implementation and
trying to implement subtree ACIs. I've made good progress so far. I am now
wondering about some details of how the evaluation should be peformed.

Does scope "subtree" include the "entry"-scope? i.e. should ACIs with the
scope "subtree" also be evalutated for the entry they are in or only for
its child entries? My current implementation evaluates "subtree" ACIs only
for the child entries.

If an entry contains a "entry"-scope ACIs, that do not explicitly allow 
or deny access for the current operation, should the "subtree"-ACIs of its
parent entries be evaluted or should the access be denied? (Do ACIs deeper
in the tree completely reset higher lever ACIs, or do they just overwrite
parts of the higher level ACIs?) 

I have also some understanding problems with the caching that is performed
during ACL evaluation. If would be nice if someone could enlighten me a bit
about how that works. (e.g. what exactly is cached and what does the 

Ralf Haferkamp

SuSE Linux AG                                    - The Linux Experts -
Deutschherrnstrasse 15-19                         http://www.suse.com
D-90429 Nuernberg, Germany                        Tel: +49-911-74053-0