[Date Prev][Date Next]
Re: attribute for 'access to filter=...'
At 03:04 AM 4/16/2005, Hallvard B Furuseth wrote:
>I wonder if OpenLDAP should define an operational attribute intended
>to be used for 'filter=' and 'set=' access controls? Maybe just with
>string syntax, more or less free-form contents chosen by the admin.
What's the operational semantics of the attribute?
>Our LDAP project is about to define an attribute for filter= and I've
>seen others need it, but since its functionality is implementation-
>specific it doesn't quite seem to belong in an organization's or LDAP
Though specification of ACLs are certainly implementation
specific, this attribute doesn't appear to be implementation
>In particular if the organization has no other
>private schema elements...
>E.g. one could use things like
> access to filter=(OpenLDAPobjectAccess=invisible) by self write
>or a few statements like
> access to filter=(OpenLDAPobjectAccess=userPassword:localadm)
> by group=cn=localadm,cn=groups,dc=example,dc=com =xw
> by * auth
> access to attrs=x,y,z by set="([foo] | [bar] | [baz])
> & user/OpenLDAPobjectAccess
> & this/OpenLDAPobjectAccess" write
> (though a group memberOf attribute might be better in that case.)