Full_Name: Howard Chu Version: HEAD/2.5 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.91.220.157) Submitted by: hyc

The access control mechanism needs to be extended to control actions, not just objects, to control who may use various LDAP Controls and Extended Operations.

E.g. access to control=<oid> by <who> access to op=<operation or oid> by <who>

Perhaps the control= / op= specifier should be usable in combination with the other <what> specifiers; I haven't thought too deeply about it. It only makes sense in limited contexts, since various extensions may not even affect any particular directory object.