[Date Prev][Date Next]
Re: ACI/ACL based on entry attribute values
> So here is a situation: there is an LDAP database in which the tree
> structure is not known ahead of time and will be dynamic. Effective
> access control should be provided based on relative location of entries
> in an LDAP tree (and potentially other factors).
> Basically, what i am trying to accomplish is - if an entry has an
> X set to value "Val" (objectClass: CoolGuy), it will have access rights
> (as defined by some "magic" ACL) to any entry in it's subtree.
> It seems that when defining "what" in ACL, a subtree modifier is only
> available to a specified DN, not to "self", correct? (If yes - why?)
> In a more general case it would be convenient to match the accessed
> values (<what>) with authenticaed entry values (<who>). For example if
> "streetName" is X and "objectClass" is "Owner" , grant access to all
> where "streetName" is X regardless of location.
> This sort of matching can be accomplished in ACLs (and ACI i guess) if
> used to match DN (and potentially filters for other attributes) had
> variable substitution
> with variables based on regexps matched on the authenticated entry.
You might want to have a look at "sets" (browse the FAQ)
> Anything like it exists/in work/of interest? Comments?
If you can come out with a specification a little more
consistent than the examples you gave above, it might
be of interest, provided it does not intersect too much
with acl sets, don't want to reinvent the wheel.