[Date Prev][Date Next] [Chronological] [Thread] [Top]

attribute for 'access to filter=...'

I wonder if OpenLDAP should define an operational attribute intended
to be used for 'filter=' and 'set=' access controls?  Maybe just with
string syntax, more or less free-form contents chosen by the admin.

Our LDAP project is about to define an attribute for filter= and I've
seen others need it, but since its functionality is implementation-
specific it doesn't quite seem to belong in an organization's or LDAP
project's schema.  In particular if the organization has no other
private schema elements...

E.g. one could use things like

   access to filter=(OpenLDAPobjectAccess=invisible) by self write

or a few statements like

   access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
          by group=cn=localadm,cn=groups,dc=example,dc=com =xw
          by * auth


  access to attrs=x,y,z by set="([foo] | [bar] | [baz])
		                & user/OpenLDAPobjectAccess
		                & this/OpenLDAPobjectAccess" write
  (though a group memberOf attribute might be better in that case.)