directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Blanchard <>
Subject Re: ACLs questions
Date Mon, 16 May 2005 10:08:25 GMT
Hello Alex,

First, hope your health is better.

I have written a new page in the Wiki as you asked me for.

Please tell me your opinion about this as the other users of this list 
are encouraged to do. (My english is not very good too so feel free to 
tell me about grammar or expression mistakes.)

I would like to implement this test case but I have a real problem with 
them. I am using maven for netbeans (mevenide) and some of the tests 
fails and I have to skeep them to build. My question is how to pass 
argument to run  test. It seems that the problem resides in the path to 
the backend database directory (operation "doDelete" fails all the time)

I will create a JIRA issue after being able to pass tests and having 
implemented the test case...

Thanks for help,
Tony Blanchard

Alex Karasulu a écrit :

> Tony Blanchard wrote:
>> Hello,
>> I have two questions for the futur of ACLs with apacheds.
> I have some too :).
>> 1 - I have noticed there was not user read access on the 
>> uid=self,ou=users,ou=system and I think it should be.
>> I have modified the "isSearchable" operation on AuthorizationService 
>> to enable read operation on the "self" entry and not for the others.
>> What do you think about this and is it possible to add this code to 
>> the class :
> I thought we had full read access on self entries.  Could you show the 
> lack of this with a test case addition patch, then post this code to a 
> JIRA issue? This way we don't forget about it and can confirm the fix 
> easily.  Nice to isolate the problem with a test case as well.
> <snip/>
>> 2 - What about having an "openLDAP like" simplified ACL mechanism ?
> I don't know I have not put enough thought to this because there are 
> so many things standing in my way right now like implementing 
> subentires so we can store ACLs ;).  However going with their scheme 
> might be a good idea.  Can you take the time to research the strengths 
> and weaknesses with this approach?
> Are there other options?  What are the performance implications?
> We could certainly build authz into the directory very rapidly.  I 
> would however like to research how different directories do authz first.
>> Here are the properties which should be used to register the ACLs to 
>> the server :
>> server.db.partitions.{id}.access.whatid=whatdn //Mandatory: Maybe a 
>> regexp or an exact dn
>> server.db.partitions.{id}.access.whatid.filter=An LDAPFilter  
>> //Optional:
>> server.db.partitions.{id}.access.whatid.scope={exact|one|sub|children} 
>> //Mandatory:
>> server.db.partitions.{id}.access.whatid.whoid=whodn //Maybe a regexp 
>> or a whodn space separated list //Mandatory:
>> server.db.partitions.{id}.access.whatid.attributes=attr space 
>> separated list //Optional: not valid for some scope types...
>> server.db.partitions.{id}.access.whatid.level={none|auth|read|write} 
>> //Mandatory:
>> server.db.partitions.{id}.access.whatid.special_level=self 
>> //Optional: allows  special  operations  like having a certain
>>                                                           access 
>> level or privilege only in case the operation
>>                                                           involves 
>> the  name of  the    user  that's  requesting
>>                                                           the access.
>> Maybe The Authentication service should load ACLs at runtime (be 
>> carefull of regexps for "whodn") and attach them to the
>> principal wich is accessible from the AuthorizationService.
>> Then, the authorization service should look for them each time an 
>> call is made...
>> What do you think about it ?
> Nothing yet.  I'll try to free up some time to give this more 
> traction.  These links below help.  Please feel free to put them up on 
> our Wiki, create your own Authz page and add these links and other 
> research to them.
>> Please take a look at the openLDAP documentation to compare this to 
>> an existing ACLs implementation :
>> -
>> - 

> Thanks Tony,
> Alex

View raw message