[Date Prev][Date Next] [Chronological] [Thread] [Top]

Trying to better understand ACIs

I'm implementing a slapd directory without any global (slapd.conf) acl directives. I want to use the in-directory model of acis for the entire directory. Yes I understand the pros and cons of doing this, but I mostly experimenting and if nothing at all I'll get a better understanding of acis and acls

I'm adding the following directive
access to * by aci write#To enable full control of the entire directory with ACI
Following this I'd like to strip out all code to global acl checks and only base my checks off the on object ACIs. The code itself is rather hairy so I'd rather implement my own access_allowed() function.

The question I have is the following

a) When access_allowed is called on a specific entry, attribute, value, the on object ACL (object ACI) is passed in the function call. How do I decipher which parameter contains the ACL/ACI ?

b) How does search request retrieve the acls associated with a result set...
i) My question is more like , presumably for every result off a search request, the server retrieves the list of applicable ACI ... is this accurate?

2) Secondly, is there any form of static inheritance of object ACIs (again I'm assuming that we have a model where we only have on object ACIs and no external configuration via slapd.conf ACL directives..

Every time an object is created in a container, I'd like that object to inherit security ACIs off the parent object. This would be a one-time occurrence - which is why the model is a static inheritance model - post that if the admin or anyone else modifies the child objects ACI entries they're on their own.

Any help/enlightenment would be much appreciated.