[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fine grained access to attributes

To: Ralf Mattes <r.mattes@mh-freiburg.de>, Dieter Klünter <dieter@dkluenter.de>
Subject: Re: Fine grained access to attributes
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 29 Sep 2016 19:14:52 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <a37-57ed3500-54b-53102680@76475551>
References: <a37-57ed3500-54b-53102680@76475551>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0

On 29. sep. 2016 17:37, Ralf Mattes wrote:

Am Donnerstag, 29. September 2016 17:20 CEST, Dieter Klünter <dieter@dkluenter.de> schrieb:

The reference is RFC3866


That's the RFC for language and range tags, IIRC. What has this to do
with the syntax of OpenLDAPs access control rules?


I do believe Dieter is talking about what the doc ought to be saying
but doesn't, since like me he knows LDAP to well to notice:-)
I'll file an ITS with a doc bug.

Briefly: "attributes" in indexes and ACLs generally refer to
attribute descriptions _and their subtypes_.  An attribute
description is an attribute type optionally followed by ;options,
which are an extension of the original concept of ;language tags.
A type with a language tag or user-defined ;option is a sub-type
of the original type, just like "cn" is a subtype of "name".

E.g. cn;x-hidden is a subtype of cn, if you've defined x-hidden.
And so you can use access control rules on it, and the rules
for plain "cn" will apply if a rule for cn;x-hidden doesn't
match first.

--
Hallvard

Follow-Ups:
- Re: Fine grained access to attributes
  - From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
- Re: Fine grained access to attributes
  - From: Dieter Klünter <dieter@dkluenter.de>

References:
- Re: Fine grained access to attributes
  - From: "Ralf Mattes" <r.mattes@mh-freiburg.de>

Prev by Date: Re: Fine grained access to attributes
Next by Date: Re: Fine grained access to attributes
Index(es):
- Chronological
- Thread