[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: child modification

To: "Efgé" <efge@mail.dotcom.fr>
Subject: Re: child modification
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 03 May 1999 16:53:44 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <19990503193715.3752.qmail@twilight.efge.org>
References: <19990427230610.A18482@twilight.efge.org> <19990429231608.13775.qmail@twilight.efge.org> <37291024.2725E6A6@OpenLDAP.Org>

At 07:37 PM 5/3/99 -0000, Efgé wrote:
>> Before making "entry" ACLs a configurable option, I like to:
>> 	1) review other options
>> 	2) look at ways of integrating "entry" ACLs which protect
>>          against misconfiguration
>> Here's one slight varient which might work out okay:
>>  add:
>> 	require write to parent's "children"
>>  modrdn/delete:
>> 	require write to parent's "children"
>> 	AND, if entry acls enabled, write to entry's "entry".
>>  rename:
>> 	require write to old and new parent's "children"
>> 	AND, if entry acls enabled, write to entry's "entry".
>This would work for me, and I believe it's a reasonable design.

I've modified the code such that -DSLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL
enabled above behavior.  I would welcome patches to make this a
configuration item.

>Now that I think about it, I have something else to propose, which may
>or may not have been discussed before on this list but I'm fairly new to
>all this :
>
>When I read the docs for the Netscape Directory server, I found an "add"
>and a "delete" right in the access list.

>I was quite surprised when I came to OpenLDAP to find no similar
>concept, and I had to dig into the source to find out how "add" was
>handled.

>How difficult would it be to add such an access right ?

It would be fairly easy to split "write" into "add/modify/delete".
The question, though, does the added flexibilty warrant the
the additional complexity.

>Also, is the strict ordering write > read > search > ... necessary ?

No.  This is just our model.  It simplies specification of ACLs
(you'd have to introduce some sort of "OR" operator or lots 2^N
keywords to support N orthogonal access modes.

Under an orderred system, I would suggest

	delete
	add
	modify
	search
	compare
	none

I would suggest "write" become an alias for "delete" such
that current "write" ACLs would contine to act as they
do today.

>Or is all this mandated by the LDAP specs ?

Access controls requirements are not yet standardize.
However, there are a couple of drafts in this area.

>While I'm on the topic, for those who know the code, how difficult would
>it be to add netscape-like ACLs directly into the entries (the aci:
>attribute) ?

This would be a major undertaking.

Kurt

References:
- Re: child modification
  - From: "Efgé" <efge@mail.dotcom.fr>

Prev by Date: Re: child modification
Next by Date: RE: searching multiple backends
Index(es):
- Chronological
- Thread