46 lines
1.2 KiB
Plaintext
46 lines
1.2 KiB
Plaintext
ACLs are:
|
|
|
|
acl subject object attributes access;
|
|
|
|
subject and object are LDAP search filter expressions.
|
|
attributes is a comma separates list of attributes.
|
|
access says what accesses are allowed or disallowed in a chmod-like
|
|
syntax.
|
|
|
|
As an abbreviation, you can use '*' to mean '(objectClass=*)' for
|
|
subject or object, and you can use '*' to mean 'all attributes' in
|
|
attributes.
|
|
|
|
Example:
|
|
|
|
acl (dn=cn=root,o=fefe,c=de) (objectClass=*) * +rwdR
|
|
|
|
|
|
|
|
ACLs can have some redundancy in them, so we want to find filter strings
|
|
in ACLs that are the same, and then only evaluate them once. So we need
|
|
to write the ACLs to disk like this:
|
|
|
|
first the filters:
|
|
|
|
uint32 filters_count;
|
|
uint32 offsets_to_filters_in_scan_ldapsearchfilter_format[filter_count+1];
|
|
// the last pointer points after the marshalled filters
|
|
|
|
then each filter marshalled as readable by scan_ldapsearchfilter (or "self"):
|
|
|
|
[...]
|
|
|
|
then the ACLs:
|
|
|
|
uint32 acl_count;
|
|
uint32 offsets_to_acls[acl_count];
|
|
|
|
then for each acl:
|
|
|
|
uint32 subject_filter, object_filter; // index in above filters array
|
|
uint16 may,maynot; // bit fields for +rw-d
|
|
uint32 attributes[]; // 0 terminated
|
|
|
|
|