[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about frequently used ACLs

To: ando@sys-net.it
Subject: Re: about frequently used ACLs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 23 Feb 2004 10:25:19 -0800
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <54555.131.175.154.56.1077090929.squirrel@webmail.sys-net.i t>
References: <54555.131.175.154.56.1077090929.squirrel@webmail.sys-net.it>

Sounds like you are trying to implement a name form/
structure rule requirement using an access control...
I'd think it might be better to instead implement
DIT structure rules and name forms
(draft-ietf-ldapbis-models/X.501).

Kurt

At 11:55 PM 2/17/2004, Pierangelo Masarati wrote:
>A frequent use of ACL is in the form:
>
>"allow access to entries that reside
>in a subtree (or exactly one level
>below a subtree) and whose RDN is
>made of a single AVA, with a given
>attributeType."
>
>It's not easy to generate effective
>regexps for this case, and there are
>more efficient means to handle this
>case.
>
>So I suggest a DN style modifier that
>states something like this:
>
>"access to DN below some subtree (with
>one, subtree or children granularity)
>whose [at least one] RDN attributeType
>is <attr>, where "at least one" is
>optional.
>
>Something like:
>
>dn.{onelevel,subtree,children},ava[,multivalued] \
>        =<attr>;<pattern>
>
>the same could apply to the <who> clause.
>
>Comments?
>
>Ando.
>
>-- 
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it

References:
- about frequently used ACLs
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Guide CVS broken
Next by Date: Re: Guide CVS broken
Index(es):
- Chronological
- Thread