[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Get Effective Rights

Ed Frey wrote:
Has openLDAP implemented the Get Effective Rights control extension? I tried using "2.16.840.1.113719." (getEffectivePrivilegesRequest); however, got a "not implemented" result.

That's because it is not implemented. Funny how sometimes things mean what they say...

I searched around google and the list archives and saw some references to it, but never a reference to whether it was implemented or not.

I'm trying to move an application that was running against novell's eDirectory to openLDAP and it makes heavy use of this control. That OID may be novell specific, but i didn't see anything in ldap.h with that name either.

It's part of an old draft spec for an LDAP Access Control standard. I haven't seen it make any progress since 2001 though. An old copy of the spec is included with the OpenLDAP source distro, and has been for several years.

Any insight would be appreciated
Thank you

The abovementioned spec does too little, tries to solve the problems from the wrong direction, and is pretty much inadequate overall. That may be one reason it never progressed any further. Another reason may just be the problem space was larger than the folks working on that spec could tackle. Dunno.

I guess that's kind of a hallmark for LDAP's history - a bunch of people look at a problem, decide that the extant solution is too complicated, so they try to come up with a "simpler" "easier to use" model, which in its simplicity fails to solve the original problem. That's pretty much why we have LDAP in the first place, instead of just DAP. And why there are still so many gaping holes in the LDAP specs...

That's my personal view of things. (Not that X.500 is perfect, of course, but at least it showed that careful thinking went into it originally.)
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/