[...]
OpenLDAPaci: 0#entry#grant;r,s,c;objectClass#public# OpenLDAPaci: 1#entry#grant;r,s,c;userReference#public# OpenLDAPaci: 2#entry#grant;r,s,c;[entry]#public# OpenLDAPaci: 3#entry#grant;r,s,c;useControls#users# OpenLDAPaci: 4#entry#grant;r,s,c;useEzmlm#users#
[...]
openldapaci: 1#entry#grant;w,r,s,c;[entry]#access-id#uid=turbo,ou=people,o=fredriksson,c=se
[...]
Actually, what always seems strange to me with ACIs, was, that ACL, whatever it contains actually, is stored inside _one_ attribute value. The following is clear to me:
1. ACL for entry "X" is stored with the entry itself 2. One entry may have zero or more acls stored with it 3. one acl have more than one "sub-values", where somehow valid set of these sub-values of many kinds, build a final _one_ accesslist for an entry
4. (?) whatever one access list is going to contain, it must conform to access list general syntax - it must be always possible to write down ACL of the same meaning, using slapd.conf acl syntax and ACI attribute value syntax.
Now, the question is, why actually ACI access list attribute keeps the whole access list in "one line" (one value of the attribute) ? Access list, anyway, is a set of information, with some not straigt syntax, it keeps at least three kinds of data - "by who", "to where", "what", "grant/deny", etc. etc. (?).
Now, it's the LDAP, right? objective database, class hierarchy etc. So why it's not some object-based strucure for access list, but such "one-line" structure? It reminds me some mysql-like overusaged application, which uses varchar column "mysupervaluecolumn", and put into this column values like "val1", "val1,val5", "val5,val3", instead of creating a table and tune up information graining (ep.. granularity, or whatever the appropriate word was :-)
I'm not openldap developer, anyway I'm developer of somekind, so as I'm probably not aware exactly _how_much_ work is related to access list object-based storage, anyway I'm aware it's very much, and probably much more that parsing some "one_line" value :-). But the question persists, do I miss something? Why ACIs are/were designed this way? Was there some reason, or just that came up? :)
Sorry for misdirect, if this post should go to openldap-devel list :) Regards, Piotr