[Date Prev][Date Next] [Chronological] [Thread] [Top]

New ACL model and test operations


First point : I am looking to integrate a new ACL model in OpenLDAP.

The main idea of this model is that relationship between entries is the main key of authorizing to search or modify entries. So i thought of a relation oriented ACL model. It has not be concepted to replace ACL or ACI, but to fill the gap between ACL and ACI !

The choice to use entries to store these new ACL may also be reused : by using LDAP entries, ACL are synchronized between master and slaves.

I give a first try (which is located at Sourceforge - aacls.sourceforge.net) which is now in beta stage. It has been designed as a backend but i don't think now that this was the good choice.

So i want to know if it could be interesting to rewrite and integrate it in OpenLDAP.

The second point is about test operations : the main idea is, if the directory is able to know when authenticated users are authorized to write on a attribute, to create or to delete an entry, administration interfaces could use these information to generate pages. So what do you think about implementing a LDAP extended operation which can test a particular right (i.e. right to modify the attribute of a special entry, depending of the authenticated user) ?

(the test write operation is also part of the first try publicated on SourceForge)

Best regards,