Re: Access conttrol as an overlay function

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:53 PM 7/1/2004, Roland Hedberg wrote:
>I'm planning to implement SPOCP based access control in OpenLDAP as a overlay.

I'm not an overlay expert... hopefully one will step in if I
am off base here.

>The overlay will weed out not permitted operations on the way to the backend, and I also plan to let the overlay remove entries, attributes and/or attribute values from search responses comming back from the backends depending on the requestors permissions.

What an overlay can/cannot muck differs between the request
(input) side and the response (output) side.  On the the
request side, the overlay can pretty much muck at will
because the information is local to that operation.  However,
in responses, the information (such as entry data) can be
shared (as managed by the backend).  So, send_entry functions
MUST NOT alter the entry struct referenced by sr_entry.
They however can alter sr_entry to point to a different entry.

If you do provide a replacement entry, then you need to
tell send_entry to free it (REP_ENTRY_MUSTBEFREED) or not
(and, if not, manage the replacement entry memory by other
means).  And if its to be freed, you cannot copy by reference
from the original entry.

>In that context I have been looking for a way to remove individual values from a list of values for a attribute (as well as attributes from a entry). But there doesn't seem to be a nice way to do this. The variant I have seen is that a new array is created and the attribute values that you want to keep are copied there from the old array and then afterwards you swap the new for the old and remove the old.
>
>This seems a bit inefficient to me,

It would be nice if we had per attribute _MUSTBEFREED flags
so that one could copy (all) values of the original entry
by reference.

>so have I missed something. Are there good reason for not, as an example, move BerValues from one BerVarray to another.
>
>-- Roland