[Date Prev][Date Next]
New ACL model and test operations
First point : I am looking to integrate a new ACL model in OpenLDAP.
The main idea of this model is that relationship between entries is the
main key of authorizing to search or modify entries. So i thought of a
relation oriented ACL model. It has not be concepted to replace ACL or
ACI, but to fill the gap between ACL and ACI !
The choice to use entries to store these new ACL may also be reused : by
using LDAP entries, ACL are synchronized between master and slaves.
I give a first try (which is located at Sourceforge -
aacls.sourceforge.net) which is now in beta stage. It has been designed
as a backend but i don't think now that this was the good choice.
So i want to know if it could be interesting to rewrite and integrate it
The second point is about test operations : the main idea is, if the
directory is able to know when authenticated users are authorized to
write on a attribute, to create or to delete an entry, administration
interfaces could use these information to generate pages. So what do you
think about implementing a LDAP extended operation which can test a
particular right (i.e. right to modify the attribute of a special entry,
depending of the authenticated user) ?
(the test write operation is also part of the first try publicated on