Howard Chu wrote:
Michael Ströder wrote:
hyc@OpenLDAP.org wrote:
Full_Name: Howard Chu Version: HEAD/2.5 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.91.220.157) Submitted by: hyc
The access control mechanism needs to be extended to control actions, not just objects, to control who may use various LDAP Controls and Extended Operations.
+1
E.g. access to control=<oid> by<who> access to op=<operation or oid> by<who>
^^^^^^^^^What is "operation" supposed to be? I'd prefer only to allow "oid" since OIDs are the only identifiers clearly specified in RFCs and I-Ds.
Ugh, no. There's no way any sysadmin is going to remember what each OID means.
There are tools to display them: http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base
There also could be GUI tools to display ACLs to humans.
Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, etc.
Who maintains the list of friendly names? Yes, the OpenLDAP project can maintain a proprietary list like all other LDAP vendors do. :-( Probably that's another topic for cross-vendor coordination...
Ciao, Michael.
-
michael@stroeder.com