[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACI/ACL based on entry attribute values

So here is a situation: there is an LDAP database in which the tree
structure is not known ahead of time and will be dynamic. Effective
access control should be provided based on relative location of entries
in an LDAP tree (and potentially other factors).

Basically, what i am trying to accomplish is - if an entry has an attribute
X set to value "Val" (objectClass: CoolGuy), it will have access rights
(as defined by some "magic" ACL) to any entry in it's subtree.

It seems that when defining "what" in ACL, a subtree modifier is only
available to a specified DN, not to "self", correct? (If yes - why?)

In a more general case it would be convenient to match the accessed entry
values (<what>) with authenticaed entry values (<who>). For example
if "streetName" is X and "objectClass" is "Owner" , grant access to all entries
where "streetName" is X regardless of location.

This sort of matching can be accomplished in ACLs (and ACI i guess) if regexps
used to match DN (and potentially filters for other attributes) had variable substitution
with variables based on regexps matched on the authenticated entry.

Anything like it exists/in work/of interest? Comments?