[Date Prev][Date Next]
general aci reflection
> OpenLDAPaci: 0#entry#grant;r,s,c;objectClass#public#
> OpenLDAPaci: 1#entry#grant;r,s,c;userReference#public#
> OpenLDAPaci: 2#entry#grant;r,s,c;[entry]#public#
> OpenLDAPaci: 3#entry#grant;r,s,c;useControls#users#
> OpenLDAPaci: 4#entry#grant;r,s,c;useEzmlm#users#
> openldapaci: 1#entry#grant;w,r,s,c;[entry]#access-id#uid=turbo,ou=people,o=fredriksson,c=se
Actually, what always seems strange to me with ACIs,
was, that ACL, whatever it contains actually, is
stored inside _one_ attribute value.
The following is clear to me:
1. ACL for entry "X" is stored with the entry itself
2. One entry may have zero or more acls stored with it
3. one acl have more than one "sub-values", where somehow valid
set of these sub-values of many kinds, build a final _one_ accesslist
for an entry
4. (?) whatever one access list is going to contain, it must conform
to access list general syntax - it must be always possible to
write down ACL of the same meaning, using slapd.conf acl syntax
and ACI attribute value syntax.
Now, the question is, why actually ACI access list attribute
keeps the whole access list in "one line" (one value of the
attribute) ? Access list, anyway, is a set of information,
with some not straigt syntax, it keeps at least three
kinds of data - "by who", "to where", "what", "grant/deny", etc. etc.
Now, it's the LDAP, right? objective database, class hierarchy etc.
So why it's not some object-based strucure for access list,
but such "one-line" structure? It reminds me some mysql-like
overusaged application, which uses varchar column "mysupervaluecolumn",
and put into this column values like "val1", "val1,val5", "val5,val3",
instead of creating a table and tune up information graining (ep..
granularity, or whatever the appropriate word was :-)
I'm not openldap developer, anyway I'm developer of somekind, so
as I'm probably not aware exactly _how_much_ work is related to
access list object-based storage, anyway I'm aware it's very much,
and probably much more that parsing some "one_line" value :-).
But the question persists, do I miss something? Why ACIs are/were
designed this way? Was there some reason, or just that came up? :)
Sorry for misdirect, if this post should go to openldap-devel list :)