[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: child modification

At 07:37 PM 5/3/99 -0000, Efgé wrote:
>> Before making "entry" ACLs a configurable option, I like to:
>> 	1) review other options
>> 	2) look at ways of integrating "entry" ACLs which protect
>>          against misconfiguration
>> Here's one slight varient which might work out okay:
>>  add:
>> 	require write to parent's "children"
>>  modrdn/delete:
>> 	require write to parent's "children"
>> 	AND, if entry acls enabled, write to entry's "entry".
>>  rename:
>> 	require write to old and new parent's "children"
>> 	AND, if entry acls enabled, write to entry's "entry".
>This would work for me, and I believe it's a reasonable design.

I've modified the code such that -DSLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL
enabled above behavior.  I would welcome patches to make this a
configuration item.

>Now that I think about it, I have something else to propose, which may
>or may not have been discussed before on this list but I'm fairly new to
>all this :
>When I read the docs for the Netscape Directory server, I found an "add"
>and a "delete" right in the access list.

>I was quite surprised when I came to OpenLDAP to find no similar
>concept, and I had to dig into the source to find out how "add" was

>How difficult would it be to add such an access right ?

It would be fairly easy to split "write" into "add/modify/delete".
The question, though, does the added flexibilty warrant the
the additional complexity.

>Also, is the strict ordering write > read > search > ... necessary ?

No.  This is just our model.  It simplies specification of ACLs
(you'd have to introduce some sort of "OR" operator or lots 2^N
keywords to support N orthogonal access modes.

Under an orderred system, I would suggest


I would suggest "write" become an alias for "delete" such
that current "write" ACLs would contine to act as they
do today.

>Or is all this mandated by the LDAP specs ?

Access controls requirements are not yet standardize.
However, there are a couple of drafts in this area.

>While I'm on the topic, for those who know the code, how difficult would
>it be to add netscape-like ACLs directly into the entries (the aci:
>attribute) ?

This would be a major undertaking.