Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 79142 invoked from network); 18 May 2005 15:39:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 18 May 2005 15:39:22 -0000 Received: (qmail 42406 invoked by uid 500); 18 May 2005 15:12:19 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 42328 invoked by uid 500); 18 May 2005 15:12:19 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 42295 invoked by uid 99); 18 May 2005 15:12:19 -0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of david@bozemanpass.com designates 69.145.82.195 as permitted sender) Received: from toad.mtbrook.bozemanpass.com (HELO toad.mtbrook.bozemanpass.com) (69.145.82.195) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 18 May 2005 08:12:18 -0700 Received: from [69.145.82.218] (unknown [69.145.82.218]) by toad.mtbrook.bozemanpass.com (Postfix) with ESMTP id 7B778110390 for ; Wed, 18 May 2005 08:15:53 -0700 (PDT) Message-ID: <428B5B46.4080707@bozemanpass.com> Date: Wed, 18 May 2005 08:12:06 -0700 From: David Boreham User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: [apacheds] ACL implementation options (was ACLs questions) References: <428AAB54.8030007@bellsouth.net> In-Reply-To: <428AAB54.8030007@bellsouth.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N > So how does this help Tony, Marc, and myself as well as others > interested in this thread? Well consider the two options put forth > already. One was to use OpenLDAP ACL syntax and file format. In > this case a parser would parse the file at startup and add the > ACI/ACLs into the authz subsystem using the exposed API. This would > not be conducive to replication but it would be the same as what > OpenLDAP has. Plus it is not dynamic. If you are looking for examples to study, take a look at the Netscape/AOL/Sun server. It forked off from the same code line as OpenLDAP many years ago so there are some similarities, but also fundamental differences. The ACL metadata is stored in entries, not in a flat file. The entries are not subentries, but that may have been due to subentries not being implemented at the time the ACL mechanism was re-designed. Subentry support was added in DS 5.0 time, wheras the ACLs were done in DS 3.0. Also, the Netscape ACL mechanism embodies a number of features that came about at the request of customers (put another way, they weren't designed in an ivory tower, but rather as a result of real [possibly crazy, but nevertheless real] folks requests). YMMV as always.