[Date Prev][Date Next]
Re: attribute for 'access to filter=...'
Hallvard B Furuseth wrote:
Makes sense, although its "specification" may sound a bit too loose
right now (I guess you intended it so...).
I wonder if OpenLDAP should define an operational attribute intended
to be used for 'filter=' and 'set=' access controls? Maybe just with
string syntax, more or less free-form contents chosen by the admin.
Our LDAP project is about to define an attribute for filter= and I've
seen others need it, but since its functionality is implementation-
specific it doesn't quite seem to belong in an organization's or LDAP
project's schema. In particular if the organization has no other
private schema elements...
E.g. one could use things like
access to filter=(OpenLDAPobjectAccess=invisible) by self write
or a few statements like
access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
by group=cn=localadm,cn=groups,dc=example,dc=com =xw
by * auth
access to attrs=x,y,z by set="([foo] | [bar] | [baz])
& this/OpenLDAPobjectAccess" write
(though a group memberOf attribute might be better in that case.)
With respect to "memberOf", I have loose plans (if I'd ever have any
time to spare...) to implement a "memberOf" overlay that maintains
back-references (and referential integrity "a la" refint). Unless
someone else wants to jump in...
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497