directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Boreham <>
Subject Re: [apacheds] ACL implementation options (was ACLs questions)
Date Wed, 18 May 2005 15:12:06 GMT

> So how does this help Tony, Marc, and myself as well as others 
> interested in this thread?  Well consider the two options put forth 
> already.  One was to use OpenLDAP ACL syntax and file format.   In 
> this case a parser would parse the file at startup and add the 
> ACI/ACLs into the authz subsystem using the exposed API.  This would 
> not be conducive to replication but it would be the same as what 
> OpenLDAP has.  Plus it is not dynamic.

If you are looking for examples to study, take a look at the 
Netscape/AOL/Sun server.
It forked off from the same code line as OpenLDAP many years ago so 
there are some
similarities, but also fundamental differences. The ACL metadata is 
stored in entries,
not in a flat file. The entries are not subentries, but that may have 
been due to subentries
not being implemented at the time the ACL mechanism was re-designed. 
support was added in DS 5.0 time, wheras the ACLs were done in DS 3.0.
Also, the Netscape ACL mechanism embodies a number of features that came
about at the request of customers (put another way, they weren't designed in
an ivory tower, but rather as a result of real [possibly crazy, but 
nevertheless real]
folks requests).

YMMV as always.

View raw message