[Date Prev][Date Next] [Chronological] [Thread] [Top]

Default attribute access?

I'd like a way to specify per-attribute "default access controls", so
that one can specify the attribute's default access together with the
attribute definition (or with the include statement for the schema
file), rather than all over the place in the access statements in the
various databases.  An access statement at the beginning can be too
early.  But too late and any implicit or explicit '*' for attrs will
override it.

Maybe layered ACLs, so that if an operation gets access to attribute
foo from an access statement which does not include an explicit "to
attrs=foo", then try the next layer of access controls and use the
intersection of the accesses from both layers as the actual access to

So instead of
   access to attrs=userPassword ...
before anything like
   access to dn.subtree=whatever by * read
one could have it just one place - or none, if the default is built
into the userPassword definition as an extension.

Also a way to do the equivalent of ending the access list with this,
if that does not exist already:
   access to attrs=<operational attributes> by * +0
   access to * by * none
   access to attrs=<user attributes> by * none
   access to * by * read

Comments?  Am I missing something?