[Date Prev][Date Next]
Trying to better understand ACIs
I'm implementing a slapd directory without any global (slapd.conf) acl
directives. I want to use the in-directory model of acis for the entire
directory. Yes I understand the pros and cons of doing this, but I mostly
experimenting and if nothing at all I'll get a better understanding of acis
I'm adding the following directive
access to * by aci write#To enable full control of the entire directory with
Following this I'd like to strip out all code to global acl checks and only
base my checks off the on object ACIs. The code itself is rather hairy so
I'd rather implement my own access_allowed() function.
The question I have is the following
a) When access_allowed is called on a specific entry, attribute, value, the
on object ACL (object ACI) is passed in the function call. How do I decipher
which parameter contains the ACL/ACI ?
b) How does search request retrieve the acls associated with a result set...
i) My question is more like , presumably for every result off a search
request, the server retrieves the list of applicable ACI ... is this
2) Secondly, is there any form of static inheritance of object ACIs (again
I'm assuming that we have a model where we only have on object ACIs and no
external configuration via slapd.conf ACL directives..
Every time an object is created in a container, I'd like that object to
inherit security ACIs off the parent object. This would be a one-time
occurrence - which is why the model is a static inheritance model - post
that if the admin or anyone else modifies the child objects ACI entries
they're on their own.
Any help/enlightenment would be much appreciated.