On 31/07/2023 7:02 pm, Ondřej Kuzník wrote:
My answer is that it's wrong to force the ACL subsystem to interact with the connection's TLS/local socket/... contexts where a perfectly good way to do this exists (a Bind request). If you want to add it, a dynacl module is the way, I would personally be open to then merging such a dynacl module into contrib/ but am not volunteering to writing it.
I agree with most of that. The ACLs should not be muddied by all the externalities. What I would really like to see is something like connection classes, where all the externalities (including any information from the client certificate) can be used to classify a connection, and then, that classification used to determine what rights the connection should be given. I think that kind of structure would lead to more understandable and more maintainable rulesets in general. But that's not how slapd works.
I disagree that bind is "perfectly good"