[Date Prev][Date Next] [Chronological] [Thread] [Top]

Specific add, delete rights vs. children/entry

I think it would be pretty straightforward to change from using the "children" attribute as access control for adding, deleting and modrdn'ing. What I propose is that -- internally -- slapd use something more akin to the add/delete/editDN rights from draft-ieft-ldapext-acl-model-03.txt. By internally, I mean that the ACLs can still use "children" to limit access for these operations, but backends would not use this pseudo-attribute to determine access rights. This would only effect the ldbm and bdb2 backends. This would make it easy for ACIs to restrict access based on add/delete/editDN rights.

Any comments?