[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Questions Part Deux

This is the way I understand Access control to work. If I am way off let me
know. But it doesn't look like *that* much has changed since V2. *Phew. ;)

Access control is done via the ACL rules. The ACL rules (for which
there's a particular syntax) are fed into the database via the
configuration files. ACL's control who are granted certain access to
what entries and attributes. Usually there are quite a few ACL rules and
they stack up. It checks the local rules first based on the attribute
you request. The first attribute that matches (in order of appearance in
the configuration file) is then checked for whom it applies. If it
doesn't apply to the requestor, then it continues down the ACL lists
until it hits another rule whose attribute matches the one which is
being requested. If it _does_ match the requestor's DN (or some mask of
it) it then checks what _kind_ of access is to be granted for that
matching rule. (hehe, easier drawn on a piece of paper, than said) ;)

Example: (use monospace font to view this; ie: courier)

    FOO ---
         |--- B* ---
                  |--- WRITE
    FOO ---
         |--- *R ---
                  |--- READ
     *  ---
         |--- * ---
                 |--- DENY

    If user BAR asks for FOO, he will be allowed to write to FOO. If
user COR asks for for FOO he will only have read access. Etc.

We'll have to meet on this to decide, but at the end, we'll put
something like deny all everything, so that if someone attempts to
request access to an attribute/definition for which there are no rules,
they get nothing. (Safe AND it's the default behaviour)

Best Regards,
E. M. Recio

* Applied Sociology and Participatory Research          *
* Department of Psychology, Sociology, and Anthropology *
* Drexel University; Philadelphia, PA 19104; USA        *
* Email: <n2wog@usa.net>    ICQ: <458042>               *
* Homepage: < http://polywog.navpoint.com >             *

Get free email and a permanent address at http://www.amexmail.com/?A=1