From 91b279ea10bd19ab377ed4e42d72bc47c327dafb Mon Sep 17 00:00:00 2001 From: leitner Date: Wed, 17 Jul 2002 13:07:09 +0000 Subject: [PATCH] thoughts about how to integrate ACLs --- FORMAT | 40 ++++++++++++++++++++++++++++++++++++++++ Makefile | 2 +- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/FORMAT b/FORMAT index 656d77b..53e5ab4 100644 --- a/FORMAT +++ b/FORMAT @@ -41,3 +41,43 @@ All integers are stored LITTLE ENDIAN. The indices are at the end to make it possible to add more indices. The next pointer is there to make extensions possible. + + + +How do we do ACLs? + +The goal is to reduce the number of ACLs that need to be checked. +We have a 0 dword reserved in each record. The obvious use would be to +store a pointer to a list of permissions in each record. The question is: do +we store the list of ACLs that is valid if you authenticate as that dn, or do +we store the list of ACLs that needs to be checked if anyone accesses +that dn? I think it's better to store the permissions if anyone logs in +as that dn; the general user only has very simple access rules, so that +would keep the ACLs for the common case down. On the down side we need +to store the permissions for the anonymous bind somewhere, too. It also +means we optimize away the openldap "group member" indirection. + +The question is: how do we store the ACLs in the database? I suggest a +model where we store the auth ACLs first, then the read ACLs, then the +write ACLs. That way you can stop evaluating at the first write ACL +when you only want to read. And normally the bulk of the ACLs are for +writing. + +So, for each dn and access type we need to keep a list of +(dn-pattern,attribute[]) that this dn has access to. + + uint32_t auth_count; + +The syntax of the list should be: + uint32_t attributes[]; /* offsets of attribute names in stringtab, + terminated by 0. Empty list means: all */ + +Typische ACL: + +access to dn="ou=(Fraktion-[^,]+),ou=Fraktionen,o=bundestag,c=de" attr=userPassword + by self write + by anonymous auth + by group="cn=Gruppe A,ou=Administration,o=bundestag,c=de" write + by group="cn=$1,ou=Administration,o=bundestag,c=de" write + by * none + diff --git a/Makefile b/Makefile index 842c21b..f971ffb 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -DEBUG=1 +#DEBUG=1 all: t1 t2 parse dumpidx idx2ldif addindex bindrequest tinyldap \ tinyldap_standalone tinyldap_debug ldapclient ldapclient_str \