[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL decisions based on requested access

Rein Tollevik wrote:
I have a fairly complicated ACL set which I need to optimize the
evaluation of.  To do this I need to make decisions based on the
requested access level, which currently isn't possible (as far as I know
that is).  E.g, most of my ACLs are concerned with whether the entries
and attributes should be read or writable or not, and I would like to
quickly grant search access when that is all that is requested.

One possibility I have considered is to add a new optional<requested
access>  field between the existing<who>  and the<access>  clauses, but
I'm not very happy with that solution as it could easily be mixed with
the existing<access>.

For what it's worth, HP had a similar requirement. We showed them how to write a dynacl module to intercept regular ACL processing and do what they needed. It seems to me that you should be able to at least prototype using dynacl first, to gain some experience with the real effects of these controls, before progressing further in the core code.

So far my preferred solution is to add two new ACL controls, which I
currently think of as "sufficient" and "requested".

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/