[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI

To: openldap-software@OpenLDAP.org
Subject: Re: ACI
From: Turbo Fredriksson <turbo@bayour.com>
Date: 25 Jun 2003 14:50:26 +0200
In-reply-to: <3EF97E64.6020005@stroeder.com>
Organization: LDAP/Kerberos expert wannabe
References: <87llvq3766.fsf@papadoc.bayour.com> <3EF97E64.6020005@stroeder.com>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

>>>>> "Michael" == Michael Ströder <michael@stroeder.com> writes:

    Michael> Turbo Fredriksson wrote:
    >> I'm about to extend my 'product' phpQLAdmin to use ACI, but I'm
    >> not sure how to check if this is availible...

    Michael>  From your comment I guess that phpQLAdmin enforces
    Michael> access control to the user. IMHO it's a better
    Michael> application design to let the user bind with his own
    Michael> identity and leave the access control up to the LDAP
    Michael> server.

The LDAP server isn't "fine grained" enough. I can't seem to make
"recursive" ACL's. That is, I can't say

        access to dn=".*?dc=com"
                by dnattr=administrator write
                by * read

and hope that the administrator value will be accessed at the
'dc=com' object whenever something below this is being accessed.

Also, I wan't to have the possibility to do 'dynamic' AC[IL]
updates. Ie, without changing slapd.conf.

    Michael> Additionally note that use of attribute 'aci' is
    Michael> vendor-specific.

I can live with this :) That's why I wanted to know on HOW I can
find out if the LDAP server supports this via a 'simple' query...

References:
- ACI
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: ACI
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: 2.1.21 on RH 9 and 'Too many open files'
Next by Date: Cyrus SASL - subsequent authentication
Index(es):
- Chronological
- Thread