Full_Name: Jean-Etienne Schwartz Version: 2.2.20 OS: any URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (129.185.75.9) Please find an enhancement about ACL. This patch allow the definition a dynamic ACL. It has been tested for our own purpose since September 2003. All specifications are located in ftp.openldap.org/incoming/jean-etienne-schwartz-050125-dynacl.doc This is a WORD document The patch is ftp.openldap.org/incoming/jean-etienne-schwartz-050125-patch The schema extension is ftp.openldap.org/incoming/jean-etienne-schwartz-050125-dynacl.schema An sample access definition is ftp.openldap.org/incoming/jean-etienne-schwartz-050125-access.slapd I post it mainly to discuss for the moment, as it is not based on HEAD. But if you wish to integrate it like this, feel free :) TODO (at least) : 2.2.20 -> HEAD Legal notice : This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in this following patch were developed by Jean-Etienne Schwartz jean-etienne.schwartz@bull.net. These modifications are not subject to any license of BULL. The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2003-2005 Jean-Etienne Schwartz Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.
A few very preliminary comments, while I'm reading the details of your submission: 1) a .pdf version of the doc is mandatory; with OpenOffice your document looks terrible because of the font choice. 2) I cannot access the example configuration file; bad URL? 3) I note that ACLs in HEAD have been modified quite a bit with respect to RE22 code; significantly: a) another implementation with the name dynamic ACLs is present, where dynamic means "run-time loadable" b) ACIs now use this API c) "disclose" and "manage" access levels have been added, with the former being implemented (it's already complete in back-sql and portions are implemented in back-bdb/hdb/ldbm). d) sets have been partially reworked Although the above may not directly impact/conflict with your submission, I think a lot of workload may be required to integrate it with HEAD code, but this is the only way to go if you want it to be considered, because RE22 is feature frozen and 2.3 (essentially, HEAD) is being rolled out. Further comments will follow; by now, thanks for the contribution. p.
changed notes changed state Open to Feedback moved from Incoming to Contrib
OK 1) I send you a PDF version jean-etienne-schwartz-050125-dynacl.pdf 2) Yes, I resubmit it with the good name 3) For me dynamic means that ACL come with the current node, automatically (see pdf) a) the keyword we use is 'dynacl' b) and d) no interactions with ACI or SET Pierangelo Masarati <openldap-its@OpenLDAP.org> 25/01/05 18:00 Pour : jean-etienne.schwartz@bull.net cc : Objet : Re: ACLs Enhancements (ITS#3515) A few very preliminary comments, while I'm reading the details of your submission: 1) a .pdf version of the doc is mandatory; with OpenOffice your document looks terrible because of the font choice. 2) I cannot access the example configuration file; bad URL? 3) I note that ACLs in HEAD have been modified quite a bit with respect to RE22 code; significantly: a) another implementation with the name dynamic ACLs is present, where dynamic means "run-time loadable" b) ACIs now use this API c) "disclose" and "manage" access levels have been added, with the former being implemented (it's already complete in back-sql and portions are implemented in back-bdb/hdb/ldbm). d) sets have been partially reworked Although the above may not directly impact/conflict with your submission, I think a lot of workload may be required to integrate it with HEAD code, but this is the only way to go if you want it to be considered, because RE22 is feature frozen and 2.3 (essentially, HEAD) is being rolled out. Further comments will follow; by now, thanks for the contribution. p.
> This is a multipart message in MIME format. > --=_alternative 005F2274C1256F94_= > Content-Type: text/plain; charset="us-ascii" > > OK > 1) I send you a PDF version jean-etienne-schwartz-050125-dynacl.pdf > 2) Yes, I resubmit it with the good name > 3) For me dynamic means that ACL come with the current node, automatically > (see pdf) Yes, I think I got the overall idea. > a) the keyword we use is 'dynacl' Same as in HEAD: "by dynacl/<custom name>[=<pattern>] <access>" triggers using the run-time loadable checks. > b) and d) no interactions with ACI or SET I don't mean there needs to be a direct interaction; likely patch inbtegration will be harder. In any case, I assume a contribution with such a large impact should well harmonize with existing features... I'll keep reading. p. -- Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
> Please find the port to HEAD (2.3.0alpha) of the ACL enhancements > (ITS#3515). > Major change: the keyword 'dynacl' is changed to 'autoacl' (automatic acl) > > The patch is > ftp.openldap.org/incoming/jean-etienne-schwartz-050126-patch > The schema extension is > ftp.openldap.org/incoming/jean-etienne-schwartz-050126-autoacl.schema > An sample access definition is > ftp.openldap.org/incoming/jean-etienne-schwartz-050126-slapd.access Thanks; please keep further discussion on the ITS for tracking purposes. p. -- Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
changed notes changed state Feedback to Suspended
This looks mostly like ACI to me, with some special inheritance rules. Is it still relevant? -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
hyc@symas.com wrote: > This looks mostly like ACI to me, with some special inheritance rules. Is it > still relevant? AFAIR that was a custom ACL checking development that I found interesting from a technical point of view but (I might be wrong) of limited usefulness outside the scope it was developed for. In the meanwhile, and probably triggered by that posting, I added several ways of customizing access checking: via overlays, using dynacl (that was added earlier, for the purpose of isolating ACIs, but it could have served the same purpose). In this sense, I don't think this contribution can be of any use right now; it coulr be turned into a dynacl for custom use by the posters, or by anyone who find it useful. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
changed notes changed state Suspended to Closed
moved from Contrib to Archive.Contrib
not generally useful enough (see discussion) should be cast into "dynacl"