Dear community, for the next release, I've been preparing extensions to the ACL syntax to address a feature request that comes up relatively often - restrict access to data/actions based on what controls are involved.
My thinking is that we could allow the following stanzas in the "access to <what>" part: - op=<operation name> or op=<OID> for extended requests - control=<OID> In here, we would probably provide a shorthand for known OIDs using the OID macro in schemas, so you could write something like this: ---- 8< ---- access to dn.subtree=ou=people,dc=example,dc=com attrs=userPassword control=ppolicy by anonymous auth access to dn.subtree=ou=people,dc=example,dc=com attrs=userPassword by group=cn=admin,ou=groups,dc=example,dc=com write by * none ---- 8< ---- As this is a deep change in how people work with ACLs, I'd like some feedback from the community at large before we commit to changing the syntax in a way that we have to live with for a long time. Have you needed something like this? Does the proposed addition solve your use-case? Can you see issues that are not covered or new ones that could crop up when used like this and might not be desirable? Any other feedback or proposals for how this could be expressed are also welcome. I'd like to add that this is unlikely to land until consensus has been achieved in the first place. For those happy to test actual code, the above proposal lives in a merge request: https://git.openldap.org/openldap/openldap/-/merge_requests/720 Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
