[Date Prev][Date Next]
Wishes for set ACLs
I've got a few wishes for set acls.
First, here is a brief explanation of sets for the uninitiated
(hopefully I've got it right):
- 'access ... by set=<set>' evaluates an expression as a set of
strings, and selects the "by" clause if the result set is not empty.
- 'user' is a 1-element set with the bound DN.
- 'this' is a 1-element set with the DN being accessed.
- [<any text>] is a 1-element set with that text.
- <set>/<attribute> looks up the entries with the DNs in <set>,
and returns the values of <attribute> in the entries.
- '&' produces the intersection of two sets.
- there is some more, but that's enough to get the idea.
More detail in <http://www.openldap.org/faq/data/cache/1133.html>
It would be nice to have boolean operators on sets. That allows
e.g. 'members of posixGroup A can access members of posixGroup B':
(user/uid & [cn=A]/memberUid) && (this/uid & [cn=B]/memberUid)
where '&&' would return the empty set if one of the sets are empty, and
either the set  or the last set otherwise.
or it could be
(user/uid & [cn=A]/memberUid)@bool & (this/uid & [cn=B]/memberUid)@bool
where <set>@bool returns the empty set if <set> is empty and 
Or spell @bool as just @ or ? or whatever, but we'll probably want more
transformations later so maybe it's best to not use up too many special
An operator would be useful which escaped the members of a set as DNs.
"[cn=] + user/cn + [,o=foo]" is wrong if the cn contains ",".
Maybe an un-escaping operator too, for "self/uid & [$1]" where $1
comes from a regular expression match in the 'access to' clause.